These Software & Services Terms and Conditions (“Agreement”) supplement any additional online terms acknowledged by Customer or any separate written agreement executed by the parties (“Order”) and set forth the terms and conditions under which Leading Reach, Inc. (“LeadingReach”) will provide access to certain proprietary technology to the party accessing the Software. The Agreement sets forth the terms and conditions under which Customer may Use (as defined herein) LeadingReach’s software (“Software”). Customer cannot use the Software until Customer has carefully read and agreed to this Agreement by clicking “I Accept”. If Customer disagrees with the terms and conditions of this Agreement, Customer cannot use the Software. Furthermore, by accessing, loading, or otherwise using the Software, which may include related materials and documentation, or any portion thereof, Customer agrees to be bound by all of the terms of this Agreement.
1. SUBSCRIPTION GRANT, RIGHT OF USE, AND SERVICES
1.1. Subscription Grant. Subject to all limitations and restrictions contained herein and the online Subscription Order, LeadingReach grants Customer a subscription, software as a service (SaaS), nonexclusive and nontransferable right to use the Software as hosted by LeadingReach as described in the Software documentation (“Use”)
1.2. Use. The Software is owned and operated by LeadingReach. The Software and its content (“Content”) and the LeadingReach SaaS service (“Service”) may only be accessed in accordance with this Agreement. Any violation of the copyright in the Content or these terms and conditions may be enforced by LeadingReach to the fullest extent allowed by law. Customer shall not allow any website, that is not fully owned by Customer, to frame, syndicate, distribute, replicate, or copy any portion of Customer’s web site that provides direct or indirect access to the Software. In addition, Customer understands and acknowledges that upon accepting this Agreement, an account will be created for Customer.
1.3. Customer Account & User Access. Customer and its users may be verified prior to gaining access to Customer account(s). Customer and its users may only use the Software in connection with its organization and agrees that it is authorized to view Protected Health Information (“PHI”). Each user of the Software must have a separate and unique login except as specifically agreed by LeadingReach in writing. Users may not use their LeadingReach usernames and passwords for any unauthorized purpose. Users may not share, loan or transfer any username or password, or otherwise give access to a login in a manner designed to evade this prohibition. A single user login account under any LeadingReach subscription plan with a generic email address and/or generic name may be terminated at the sole discretion of LeadingReach.
1.4. Additional Restrictions. In no event shall Customer disassemble, decompile, or reverse engineer the Software or Confidential Information (as defined herein) or permit others to do so. Disassembling, decompiling, and reverse engineering include, without limitation: (i) converting the Software from a machine-readable form into a human-readable form; (ii) disassembling or decompiling the Software by using any means or methods to translate machine-dependent or machine-independent object code into the original human-readable source code or any approximation thereof; (iii) examining the machine-readable object code that controls the Software’s operation and creating the original source code or any approximation thereof by, for example, studying the Software’s behavior in response to a variety of inputs; or (iv) performing any other activity related to the Software that could be construed to be reverse engineering, disassembling, or decompiling. To the extent any such activity may be permitted pursuant to written agreement, the results thereof shall be deemed Confidential Information subject to the requirements of this Agreement. Customer may use LeadingReach’s Confidential Information solely in connection with the Software and pursuant to the terms of this Agreement. LeadingReach reserves all rights not specifically granted herein. Customer shall not modify any copyright notices, proprietary legends, any trademark and service mark attributions, any patent markings, and other indicia of ownership on the Content or other materials accessed through the Service. The delivery of, and license to, the Content and/or access to third party materials does not transfer to Customer any commercial or promotional use rights in the Content or any portion thereof. Any use of Content, or descriptions; any derivative use of this Site or its materials; and any use of data mining, robots, or similar data gathering and extraction tools is strictly prohibited. In no event shall the Customer frame any portion of the Site or any materials contained therein
2. PAYMENT. No method of payment required for qualified Free (Network Level) Accounts.
2.1. Fees. Customer shall pay LeadingReach the then-current fees of the Software by recurring credit card or ACH charge. If Customer has negotiated to pay the fees indicated on the Subscription Order by invoice, all fees shall be paid to LeadingReach within thirty (30) days of receipt of invoice. Any late payment shall be subject to any costs of collection (including reasonable legal fees) and shall bear interest at the rate of one and one-half percent (1.5%) per month (prorated for partial periods) or at the maximum rate permitted by law, whichever is less.
2.2. Non-Payment. LeadingReach may disable your account(s) for non-payment. You acknowledge and agree that if LeadingReach disables access to your account(s), you may be prevented from accessing the Services, your account details or any files or other materials which is contained in your account until full payment has been made for any and all outstanding amounts due along with any reactivation fee.
2.3. Taxes. The subscription, service fees, and other amounts required to be paid hereunder do not include any amount for taxes or levy (including interest and penalties). Customer shall reimburse LeadingReach and hold LeadingReach harmless for all sales, use, VAT, excise, property or other taxes or levies which LeadingReach is required to collect or remit to applicable tax authorities. This provision does not apply to LeadingReach’s income or franchise taxes, or any taxes for which Customer is exempt, provided Customer has furnished LeadingReach with a valid tax exemption certificate.
3. MAINTENANCE AND SUPPORT SERVICES
3.1. Maintenance. LeadingReach shall use commercially reasonable efforts to provide corrections to reported problems that (i) prevent the Software from conforming in material respects to its specifications, and (ii) are replicated and diagnosed by LeadingReach as defects in the Software (“Maintenance and Support Services”). LeadingReach shall use commercially reasonable efforts to begin working on a resolution to Customer’s written notice of reported problems within fourteen (14) days, provided corrections shall be prioritized in LeadingReach reasonable discretion. A response is not a guaranty of a solution to the reported problem; however LeadingReach will keep Customer apprised of the resolution closure. Additional features and functions are not included as part of the maintenance and support services.
3.2. Service Availability. LeadingReach’s goal is to provide Software Availability twenty-four hours per day, seven (7) days per week (referred to as “24×7 Availability”) EXCEPT during times of scheduled updates. However, the parties recognize that 24×7 Availability is only a GOAL, and LeadingReach cannot represent or guarantee that such goal can be achieved. These response time goals apply only to public production servers (i.e., web servers, application servers, and database servers). LeadingReach shall use reasonable efforts to achieve 99% Software Availability in North America. The Software Availability goal exclude any time Customer requests the site be taken down for scheduled updates. LeadingReach does not and cannot control the flow of data to or from LeadingReach’s network and other portions of the Internet. Such flow depends in large part on the performance of Internet services provided or controlled by third parties. At times, actions or inactions of such third parties can impair or disrupt Customer’s connections to the Internet (or portions thereof). Although LeadingReach will use reasonable efforts to take actions it deems appropriate to remedy and avoid such events, LeadingReach cannot guarantee that such events will not occur. Accordingly, LeadingReach disclaims any and all liability resulting from or related to such events.
3.3. Exclusions. LeadingReach shall not be obligated to provide Maintenance and Support Services for any software other than the generally available Software delivered to Customer pursuant to this Agreement (collectively the “Unsupported Code”). Any LeadingReach support services related to Unsupported Code shall be subject to execution of a mutually agreed upon assignment order issued under a professional services agreement.
3.4. Third Parties. LeadingReach shall have the right to use third parties, including employees of LeadingReach’s affiliates and subsidiaries (“Subcontractors”) in performance of its obligations and services hereunder and, for purposes of this Section, all references to LeadingReach or its employees shall be deemed to include such Subcontractors.
3.5. Restrictions. Customer agrees not to access (or attempt to access) any of the Services by any means other than through the interface that is provided by LeadingReach, unless Customer has been specifically allowed to do so in a separate written agreement with LeadingReach. Customer agrees that Customer will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services). Unless Customer has been specifically permitted to do so in a separate written agreement with LeadingReach, Customer agrees that it will not reproduce, duplicate, copy, sell, trade or resell the Services for any purpose. Customer agrees that Customer is solely responsible for (and that LeadingReach has no responsibility to Customer or to any third party for) any breach of your obligations under this Agreement and for the consequences (including any loss or damage which LeadingReach may suffer) of any such breach. Users of the Software may post comments, materials and other information, provided, the materials do not contain any unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, or hateful content or content which is racially, ethnically or otherwise objectionable, or which infringes upon the rights of any third party. You acknowledge that by accessing the Site, you may come into contact with content that you find harmful, offensive, threatening, indecent or objectionable and you acknowledge that LeadingReach shall have no liability to you for the content including, but not limited to explicit language and other potentially offensive material. The user agrees to not impersonate any person or communicate under a false name or a name the user is not entitled or authorized to use. LeadingReach has the right (but not the obligation) to remove, prohibit, edit or discontinue any content on the Site, including content that has been posted by users.
4.1. Reservation of Rights. Customer irrevocably acknowledges that, subject to the subscriptions granted herein, Customer has no ownership interest in the Software, Deliverables, or LeadingReach materials provided to Customer. LeadingReach shall own all right, title, and interest in such Software, and LeadingReach materials, subject to any limitations associated with intellectual property rights of third parties. LeadingReach reserves all rights not specifically granted herein.
4.2. Protected Health Information. LeadingReach may de-identify protected health information (“PHI”) in accordance with HIPAA and use the de-identified data for any lawful purpose. Customer acknowledges that the services provided by LeadingReach include data analytics on Customer’s data (including PHI) and that a byproduct of such data analysis may result in improvements to LeadingReach’s products and solutions and the foregoing shall be deemed LeadingReach materials.
5.1. Definition. “Confidential Information” includes all information marked pursuant to this Section and disclosed by either party, before or after the Effective Date, and generally not publicly known, whether tangible or intangible and in whatever form or medium provided, as well as any information generated by a party that contains, reflects, or is derived from such information.
5.2. Confidentiality of Software. All Confidential Information in tangible form shall be marked as “Confidential” or the like or, if intangible (e.g., orally disclosed), shall be designated as being confidential at the time of disclosure and shall be confirmed as such in writing within thirty (30) days of the initial disclosure. Notwithstanding the foregoing, the following is deemed LeadingReach Confidential Information with or without such marking or written confirmation: (i) the Software and other related materials furnished by LeadingReach; (ii) the oral and visual information relating to the Software; and the terms and conditions of this Agreement.
5.3. Exceptions. Without granting any right or license, the obligations of the parties hereunder shall not apply to any material or information that: (i) is or becomes a part of the public domain through no act or omission by the receiving party; (ii) is independently developed by the other party without use of the disclosing party’s Confidential Information; (iii) is rightfully obtained from a third party without any obligation of confidentiality; or (iv) is already known by the receiving party without any obligation of confidentiality prior to obtaining the Confidential Information from the disclosing party. In addition, neither party shall be liable for disclosure of Confidential Information if made in response to a valid order of a court or authorized agency of government, provided that notice is promptly given to the disclosing party so that the disclosing party may seek a protective order and engage in other efforts to minimize the required disclosure. The parties shall cooperate fully in seeking such protective order and in engaging in such other efforts.
5.4. Ownership of Confidential Information. Nothing in this Agreement shall be construed to convey any title or ownership rights to the Software or other Confidential Information to Customer or to any patent, copyright, trademark, or trade secret embodied therein, or to grant any other right, title, or ownership interest to the LeadingReach Confidential Information. Neither party shall, in whole or in part, sell, lease, license, assign, transfer, or disclose the Confidential Information to any third party and shall not copy, reproduce or distribute the Confidential Information except as expressly permitted in this Agreement. Each party shall take every reasonable precaution, but no less than those precautions used to protect its own Confidential Information, to prevent the theft, disclosure, and the unauthorized copying, reproduction or distribution of the Confidential Information.
5.5. Non-Disclosure. Each party agrees at all times to keep strictly confidential all Confidential Information belonging to the other party. Each party agrees to restrict access to the other party’s Confidential Information only to those employees or Subcontractors who (i) require access in the course of their assigned duties and responsibilities; and (ii) have agreed in writing to be bound by provisions no less restrictive than those set forth in this Section.
5.6. Injunctive Relief. Each party acknowledges that any unauthorized disclosure or use of the Confidential Information would cause the other party imminent irreparable injury and that such party shall be entitled to, in addition to any other remedies available at law or in equity, temporary, preliminary, and permanent injunctive relief in the event the other party does not fulfill its obligations under this Section.
5.7. HIPAA. To the extent Customer is authorized by LeadingReach to process or store protected health information as defined by HIPAA (PHI) in the Software or the Leading Reach environment hosting the Software, LeadingReach and Customer each agree to comply with their respective obligations in the Business Associate Agreement attached to this Agreement as Exhibit A.
5.8. Suggestions/Improvements to Software. Notwithstanding this Section, unless otherwise expressly agreed in writing, all suggestions, solutions, improvements, corrections, and other contributions provided by Customer regarding the Software or other LeadingReach materials provided to Customer shall be owned by LeadingReach, and Customer hereby agrees to assign any such rights to LeadingReach. Nothing in this Agreement shall preclude LeadingReach from using in any manner or for any purpose it deems necessary, the know-how, techniques, or procedures acquired or used by LeadingReach in the performance of services hereunder.
6. CUSTOMER’S FACILITIES. To the extent required by LeadingReach, Customer will make available to LeadingReach certain of its facilities, computer resources, software, networks, personnel, and business information as are required to perform any Service hereunder. LeadingReach agrees to comply at all times with Customer’s rules and regulations regarding safety, security, and conduct which Customer provides to LeadingReach in writing.
7.1. Authorized Representative. Customer and LeadingReach warrant that each has the right to enter into this Agreement and that the Agreement shall be executed by an authorized representative of each entity. LeadingReach warrants that all Services performed under this Agreement shall be performed in a workmanlike and professional manner.
7.2. Disclaimer of Warranties. Customer acknowledges and agrees that it is not relying on any statement or warranty not expressly provided herein with respect to the Software or maintenance, or other services provided hereunder. EXCEPT AS OTHERWISE STATED IN THIS AGREEMENT, THE SOFTWARE IS PROVIDED “AS IS” AND LEADINGREACH MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
7.3. No Modifications. Notwithstanding anything to the contrary in this Section, any and all warranties under this Agreement are VOID if Customer has made changes to the Software or has permitted any changes to be made other than by or with the express, written approval of LeadingReach.
8. LIMITATION OF LIABILITY
8.1. Liability Cap. IN NO EVENT SHALL LEADINGREACH BE LIABLE UNDER ANY THEORY OF LIABILITY, WHETHER IN AN EQUITABLE, LEGAL, OR COMMON LAW ACTION ARISING HEREUNDER FOR CONTRACT, STRICT LIABILITY, INDEMNITY, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, FOR DAMAGES WHICH, IN THE AGGREGATE, EXCEED THE AMOUNT OF THE FEES PAID BY CUSTOMER IN THE SIX (6) MONTHS PRIOR TO THE CLAIM FOR THE SOFTWARE OR SERVICES WHICH GAVE RISE TO SUCH DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
8.2. Disclaimer of Damages. IN NO EVENT SHALL LEADINGREACH BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND AND HOWEVER CAUSED INCLUDING, BUT NOT LIMITED TO, BUSINESS INTERRUPTION OR LOSS OF PROFITS, BUSINESS OPPORTUNITIES, OR GOODWILL EVEN IF NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
9. TERM AND TERMINATION
9.1. Termination by LeadingReach. This Agreement and any subscription created hereunder may be terminated by LeadingReach (i) if Customer fails to make any payments due hereunder within fifteen (15) days of the due date; (ii) on thirty (30) days written notice to Customer if Customer fails to perform any other material obligation required of it hereunder, and such failure is not cured within such thirty (30) day period; or (iii) if Customer files a petition for bankruptcy or insolvency, has an involuntary petition filed against it, commences an action providing for relief under bankruptcy laws, files for the appointment of a receiver, or is adjudicated a bankrupt concern.
9.2. Termination by Customer. This Agreement may be terminated by Customer on thirty (30) days written notice to [email protected]. All subscription fees incurred within the thirty (30) day notice period will be due to LeadingReach. All fees paid to LeadingReach will not be refunded.
9.3. Termination. Upon termination of this Agreement, Customer shall no longer access the Software and Customer shall not circumvent any security mechanisms contained therein.
9.4. Other Remedies. Termination of this Agreement shall not limit either party from pursuing other remedies available to it, including injunctive relief, nor shall such termination relieve Customer’s obligation to pay all fees that have accrued or are otherwise owed by Customer under this Agreement.
9.5. Effects of Termination. Upon termination or expiration of this Agreement or any Order, each party shall deliver to the other all copies of all applicable Confidential Information of the other party and Customer shall return or destroy all source code and object code versions of the Deliverables.
10. CUSTOMER OBLIGATIONS. Customer agrees that no employees of LeadingReach shall be required to individually sign any agreement in order to perform any services hereunder including, but not limited to, access agreements, security agreements, facilities agreements or individual confidentiality agreements.
11.1. Independent Contractor. LeadingReach is an independent contractor and nothing in this Agreement shall be deemed to make LeadingReach an agent, employee, partner or joint venturer of Customer. Neither party shall have authority to bind, commit, or otherwise obligate the other party in any manner whatsoever.
11.2. Expenses and Attorneys’ Fees. In the event any action, including arbitration, is brought to enforce any provision of this Agreement or any Order or to declare a breach of this Agreement, the prevailing party shall be entitled to recover, in addition to any other amounts awarded, reasonable legal and other related costs and expenses, including attorney’s fees.
11.3. Compliance With Laws. Customer agrees to comply with all applicable laws, regulations, and ordinances relating to its performance under this Agreement, including, but not limited to HIPAA for Customer’s own LeadingReach account maintenance, configuration, operation and procedures, including but not limited to, user/admin account access and security. The parties agree that the Agreement shall not be governed by the United Nations Convention on the International Sale of Goods or by UCITA, the application of which is expressly excluded.
11.4. Assignment. Customer may not assign this Agreement or otherwise transfer any subscription created hereunder whether by operation of law, change of control, or in any other manner, without the prior written consent of LeadingReach. Any assignment or transfer in violation of this Section shall be null and void.
11.5. Survival. The provisions set forth in Sections 2, 4, 7.2, 8, 9.6, and 11 of this Agreement shall survive termination or expiration of this Agreement and any applicable subscription hereunder.
11.6. Notices. Any notice required under this Agreement shall be given in writing and shall be deemed effective upon delivery to the party to whom addressed. All notices to LeadingReach shall be sent to 7719 Wood Hollow Dr. Suite 265, Austin, TX 78731 or to such other address as LeadingReach may designate in writing. All notices to Customer shall be sent to the address provided by Customer to LeadingReach or the address on file with LeadingReach. Unless otherwise specified, all notices to LeadingReach shall be sent to the attention of the CEO. Any notice of material breach shall clearly define the breach including the specific contractual obligation that has been breached.
11.7. Force Majeure. LeadingReach shall not be liable to Customer for any delay or failure of LeadingReach to perform its obligations hereunder if such delay or failure arises from any cause or causes beyond the reasonable control of LeadingReach. Such causes shall include, but are not limited to, acts of God, floods, fires, loss of electricity or other utilities, or delays by Customer in providing required resources or support or performing any other requirements hereunder.
11.8. Restricted Rights. Use of the Software by or for the United States Government is conditioned upon the Government agreeing that the Software is subject to Restricted Rights as provided under the provisions set forth in FAR 52.227-19. Customer shall be responsible for assuring that this provision is included in all agreements with the United States Government and that the Software, when delivered to the Government, is correctly marked as required by applicable Government regulations governing such Restricted Rights as of such delivery.
11.10. Modifications. The parties agree that this Agreement cannot be altered, amended or modified, except by a writing signed by an authorized representative of each party.
11.11. Nonsolicitation. During the term of this Agreement and for a period of two (2) years thereafter, Customer agrees not to hire, solicit, nor attempt to solicit, the services of any employee or Subcontractor of LeadingReach without the prior written consent of LeadingReach. Customer further agrees not to hire, solicit, nor attempt to solicit, the services of any former employee or Subcontractor of LeadingReach for a period of one (1) year from such former employee’s or Subcontractor’s last date of service with LeadingReach. Violation of this provision shall entitle LeadingReach to liquidated damages against Customer equal to two hundred percent (200%) of the solicited person’s gross annual compensation.
11.12. Publicity. Customer agrees to cooperate with LeadingReach (i) in preparation of at least one (1) press release, where the aforementioned materials can be used in/on LeadingReach’s Web site, marketing materials, trade shows, public advertisements, and other associated marketing uses (“LeadingReach Marketing Materials”); and (ii) in preparation of an LeadingReach sponsored testimonial advertisement to be run in newspapers, magazines, and other publications and for use in LeadingReach Marketing Materials. The parties agree that LeadingReach may include Customer’s logo and name on publicly displayed customer lists (including LeadingReach’s Internet Web site and public advertisements). There shall be a “Powered by LeadingReach” logo, to be provided by LeadingReach, in the bottom portion of any of Customer’s LeadingReach email templates. The LeadingReach logo shall link directly to the then-current LeadingReach Web site home page.
11.13. No Waiver. No failure or delay in enforcing any right or exercising any remedy will be deemed a waiver of any right or remedy.
11.14. Severability and Reformation. Each provision of this Agreement is a separately enforceable provision. If any provision of this Agreement is determined to be or becomes unenforceable or illegal, such provision shall be reformed to the minimum extent necessary in order for this Agreement to remain in effect in accordance with its terms as modified by such reformation.
11.15. Choice of Law. THIS AGREEMENT SHALL BE GOVERNED AND INTERPRETED BY THE LAWS OF THE STATE OF TEXAS WITHOUT REGARD TO THE CONFLICTS OF LAW PROVISIONS OF ANY STATE OR JURISDICTION. ANY ACTION ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL BE BROUGHT IN THE STATE OR FEDERAL COURTS LOCATED IN AUSTIN, TEXAS.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is hereby entered between Leading Reach, Inc. (“Business Associate”) and the Customer of the LeadingReach Software and services (“Covered Entity”).
- STATEMENT OF PURPOSE. BUSINESS ASSOCIATE HAS BEEN ENGAGED TO PROVIDE CERTAIN SERVICES TO COVERED ENTITY AS SET FORTH IN THE SUBSCRIPTION AGREEMENT TERMS AND CONDITIONS (“SERVICE AGREEMENT”). THE PARTIES ACKNOWLEDGE THAT BUSINESS ASSOCIATE MAY BE EXPOSED TO, OR BECOME AWARE OF PROTECTED HEALTH INFORMATION (ALSO REFERRED TO HEREIN AS “PHI”) IN THE PERFORMANCE OF THE SERVICES. THE PARTIES WISH TO ENTER INTO THIS AGREEMENT TO PROVIDE COVERED ENTITY WITH THE WRITTEN ASSURANCES REQUIRED BY THE PRIVACY RULE AND THE SECURITY RULE ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 AND THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (“HITECH ACT” AND TOGETHER, “HIPAA”) AND TO ADDRESS THE USE AND DISCLOSURE OF PHI.
- Definitions. Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule and the Security Rule, where not inappropriate by context.
(a) “Business Associate” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to the party of this Agreement, shall mean Leading Reach, Inc.
(b) “Covered Entity” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to the party of this Agreement, shall mean the customer of Business Associate identified above.
(c) “Designated Record Set” shall have the meaning set forth in 45 C.F.R. Section 164.501.
(d) “Disclose” and “Disclosure” mean, with respect to Protected Health Information, the release, transfer, provision of access to, or divulging in any other manner of Protected Health Information outside the organization’s internal operations or to individuals other than its workforce.
(e) “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “Electronic Protected Health Information” in 45 C.F.R. § 160.103, and, in this Agreement, shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Covered Entity in the course of Business Associate’s providing Services under the Service Agreement.
(f) “Incidental” shall refer to those uses and disclosures covered in 45 C.F.R. 164.502 (a) (1) (iii) which do not rise to the level where a business associate agreement is required and that occur as a by-product of another permissible or required use under HIPAA and that cannot be reasonably prevented and are limited in nature.
(g) “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
(h) “Privacy Rule” shall mean the standards, requirements and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 160 subparts A and E promulgated under HIPAA.
(i) “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity and, in this Agreement, shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Covered Entity in the course of Business Associate’s providing Services under the Service Agreement.
(j) “Security Rule” shall mean the standards, requirements and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 164 subpart C promulgated under HIPAA.
(k) “Services” has the same meaning as in the Service Agreement.
(l) “Use” or “Uses” shall have the meaning set forth in 45 C.F.R. Section 160.103.
- Obligations of Business Associate. Business Associate agrees:
(a) not to use or further disclose PHI created or received by Business Associate from, or on behalf of, Covered Entity other than as required to carry out its Service obligations to Covered Entity and as expressly permitted or required by this Agreement or applicable laws. Such use, disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the minimum necessary PHI to accomplish the intended result of the use, disclosure or request;
(b) to use reasonable and appropriate safeguards designed to prevent the use or disclosure of Protected Health Information in any manner other than as permitted by this Agreement;
(c) to report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which it becomes aware. In addition, Business Associate will report, following discovery and without unreasonable delay, any “Breach” of “Unsecured Protected Health Information” as defined by the HITECH Act and any implementing regulations. Any such report shall include the identification (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall report Security Incidents to Covered Entity with the exception of unsuccessful Security Incidents (such as pings, broadcast firewall attacks, port scans, and unsuccessful log-on attempts) which Covered Entity hereby acknowledges occur regularly and no further notice is necessary. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement;
(d) ensure that any agents and subcontractors of Business Associate to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information;
(e) to the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, and is notified of such by Covered Entity, to make available PHI maintained by Business Associate in a Designated Record Set to Covered Entity as required for Covered Entity to comply with its obligation to give an individual the right of access to inspect and obtain a copy of their PHI as set forth in 45 C.F.R. 164.524. Consistent with 45 C.F.R. 164.524, Business Associate’s obligation will be limited to the extent such PHI is in the sole possession of Business Associate and is not duplicative of PHI held by Covered Entity. The provision of the access to the individual’s PHI and any denials of access to the PHI shall be the responsibility of Covered Entity;
(f) to the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, and is notified of such by Covered Entity, to make available PHI maintained by Business Associate in a Designated Record Set to Covered Entity as required for Covered Entity to comply with its obligation to amend PHI as set forth in 45 C.F.R. 164.526. The amendment of an individual’s PHI and all decisions related thereto shall be the responsibility of Covered Entity;
(g) to make available to Covered Entity information regarding disclosures by Business Associate to third parties for which an accounting is required under 45 C.F.R. Section 164.528 so Covered Entity can meet its requirements to provide an accounting of disclosures to individuals in accordance with 45 C.F.R. 164.528;
(h) to make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with the Privacy and Security Rules;
(i) at termination of this Agreement, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and to retain no copies of such information, or, if such return or destruction is not feasible in the sole discretion of Business Associate, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
(j) with respect to Electronic Protected Health Information, Business Associate will (i) implement administrative, physical, and technical safeguards that are designed to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Company, as required by the Security Rule; (ii) ensure that any agent or subcontractor to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to Covered Entity any Security Incident of which it becomes aware in accordance with Section
- Permitted Uses and Disclosures by Business Associate
(a) Except as otherwise limited by this Agreement, Business Associate may make any uses or disclosures of PHI reasonably necessary to perform its Services to Covered Entity and otherwise to meet its obligations under this Agreement and the Service Agreement.
(b) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(c) Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, if the disclosure is Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(d) Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B) in accordance with the Services.
(e) Except as otherwise limited in this Agreement, Business Associate may deidentify PHI in accordance with the HIPAA Safe Harbor principles.
- Covered Entity Obligations.
a) Covered Entity shall use and disclose PHI only in accordance with the Privacy Rule, the Security Rule, and any other applicable law concerning PHI. Covered Entity shall limit disclosures of PHI to Business Associate in accordance with minimum necessary practices. Covered Entity shall follow all data security instructions communicated by Business Associate or set forth in the applicable Business Associate Service description or statement of work.
(b) Covered Entity shall be solely responsible for establishing the applicable HIPAA Security Rule safeguards and associated policies for protecting PHI in its facilities. Covered Entity shall communicate the relevant safeguards and policies to Business Associate when Business Associate provides Services at a Covered Entity facility.
(c) Covered Entity shall be responsible for ensuring PHI is secured through the use of a technology or methodology specified by the Secretary of Health and Human Services as rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals.
(d) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under applicable laws concerning PHI. Covered Entity shall notify Business Associate of any limitation(s), restriction or changes on the use or disclosure of PHI of which it becomes aware that may affect Business Associate’s use or disclosure of PHI.
(a) Term and Termination. The term of this Agreement shall be the same as the term of the Service Agreement. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall notify Business Associate of the breach in writing, and shall provide an opportunity for Business Associate to cure the breach or end the violation of thirty (30) business days after such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period, Covered Entity shall have the right to terminate this Agreement upon written notice to Business Associate. In the event that termination of this Agreement is not feasible as mutually agreed to by Business Associate and Covered Entity, Business Associate hereby acknowledges that Covered Entity shall have the right to report the breach to the Secretary of Health and Human Services. This Agreement shall terminate immediately in the event that a HIPAA business associate agreement is no longer required under applicable laws.
(b) No Third Party Beneficiaries. No provision of this Agreement is intended to benefit any person or entity not a party to this Agreement, nor shall any person or entity not a party to this Agreement have any right to seek to enforce or recover any right or remedy with respect hereto.
(c) Modification of Agreement. No alteration, amendment, or modification of the terms of this Agreement shall be valid or effective unless in writing and signed by Business Associate and Covered Entity.
(d) Non-Waiver. A failure of any party to enforce at any time any term, provision or condition of this Agreement, or to exercise any right or option herein, shall in no way operate as a waiver thereof, nor shall any single or partial exercise preclude any other right or option herein. In no way whatsoever shall a waiver of any term, provision or condition of this Agreement be valid unless in writing, signed by the waiving party, and only to the extent set forth in such writing.
(e) Severability. If any provision of this Agreement is found to be invalid or unenforceable by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without invalidating the remaining provisions hereof.
(f) Relationship to Services Agreement Provisions. In the event that a provision of this Agreement is contrary to a provision of the Service Agreement, the provision of this Agreement shall control. Otherwise, this Agreement shall be construed under, and in accordance with, the terms of the Service Agreement.
END OF EXHIBIT