Terms and Conditions
Software as a Service (SaaS) License Agreement
These terms and conditions apply to any document or agreement (“Agreement”) made by and between Carehandler, Inc. (“Carehandler”), a Delaware corporation, located at 1740 E Fairview Ave. #1019 Meridian, ID 83642, and its customer (“Customer”) that incorporates these terms and conditions by reference. References to the “Agreement” include these terms and conditions. The effective date of the Agreement is referred to herein as the “Effective Date”.
If the Customer cancels this Agreement pursuant to the previous sentence, Customer will not be responsible for any amounts owed after the termination date, which shall be 30 days after providing written notice to Carehandler.
“Administrator User” means each Customer employee designated by Customer to serve as technical administrator of the SaaS Services on Customer’s behalf.
“Company User” means each individual given designated by Customer to access Carehandler. This includes Administrator Users.
“Customer Content” means all data and materials provided by Customer to Carehandler for use in connection with the SaaS Services, including, without limitation, customer applications, data files, and graphics.
“Data Destruction Certificate” means a document that is presented to Customer by Carehandler identifying and certifying the event and means of destruction, deletion and permanent removal of Customer data that previously managed, stored or housed by Carehandler SaaS Services.
“Documentation” means the user guides, online help, release notes, training materials and other documentation provided or made available by Carehandler to Customer regarding the use or operation of the SaaS Services.
“Host” means the computer equipment on which the Software is installed, which is owned and operated by Carehandler its subcontractors.
“Maintenance Services” means the support and maintenance services provided by Carehandler to Customer pursuant to the SaaS Agreement.
“Other Services” means all technical and non-technical services performed or delivered by Carehandler under this SaaS Agreement, including, without limitation, implementation services and other professional services, training and education services but excluding the SaaS Services and the Maintenance Services. Other Services will be provided on a time and material basis at such times or during such periods, as may be specified in a Schedule and mutually agreed to by the parties. All Other Services will be provided on a non-work for hire basis.
“Software” means the object code version of any software to which Customer is provided access as part of the Service, including any updates or new versions.
“Software as a Service Services (SaaS Services)” refer to the specific Carehandler’s internet-accessible service identified in a Schedule that provides use of Carehandler’s Software that is hosted by Carehandler or its services provider and made available to Customer over a network on a term-use basis.
“Subscription Term” shall mean that period specified in a Schedule during which Customer will have on-line access and use of the Software through Carehandler’s SaaS Services. The Subscription Term shall renew for successive 12-month periods unless either party delivers written notice of non-renewal to the other party at least 30 days prior to the expiration of the then-current Subscription Term.
Software as a Service(SaaS)
During the Subscription Term, Customer will receive a nonexclusive, non-assignable, royalty free, worldwide right to access and use the SaaS solely for your internal business operations subject to the terms of this Agreement. Customer acknowledges that this Agreement is a services agreement and Carehandler will not be delivering copies of the Software to Customer as part of the SaaS Services
Customer shall not, and shall not permit anyone to: (i) copy or republish the SaaS Services or Software, (ii) make the SaaS Services available to any person other than authorized users, (iii) use or access the SaaS Services to provide service bureau, time-sharing or other computer hosting services to third parties, (iv) modify or create derivative works based upon the SaaS Services or Documentation, (v) remove, modify or obscure any copyright, trademark or other proprietary notices contained in the software used to provide the SaaS Services or in the Documentation, (vi) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Software used to provide the SaaS Services, except and only to the extent such activity is expressly permitted by applicable law, or (vii) access the SaaS Services or use the Documentation in order to build a similar product or competitive product. Subject to the limited licenses granted herein, Carehandler shall own all right, title and interest in and to the Software, services, Documentation, and other deliverables provided under this SaaS Agreement, including all modifications, improvements, upgrades, derivative works and feedback related thereto and intellectual property rights therein. Customer agrees to assign all right, title and interest it may have in the foregoing to Carehandler.
Assistance. Customer shall provide commercially reasonable information and assistance to Carehandler to enable Carehandler to deliver the SaaS Services. Upon request from Carehandler, Customer shall promptly deliver Customer Content to Carehandler in an electronic file format specified and accessible by Carehandler. Customer acknowledges that Carehandler’s ability to deliver the SaaS Services in the manner provided in this SaaS Agreement may depend upon the accuracy and timeliness of such information and assistance.
Compliance with Laws. Customer shall comply with all applicable local, state, national and foreign laws in connection with its use of the SaaS Services, including those laws related to data privacy, international communications, and the transmission of technical or personal data. Customer acknowledges that Carehandler exercises no control over the content of the information transmitted by Customer or the Identity Cube users through the SaaS Services. Customer shall not upload, post, reproduce or distribute any information, software or other material protected by copyright, privacy rights, or any other intellectual property right without first obtaining the permission of the owner of such rights.
Unauthorized Use; False Information. Customer shall: (a) notify Carehandler immediately of any unauthorized use of any password or user id or any other known or suspected breach of security, (b) report to Carehandler immediately and use reasonable efforts to stop any unauthorized use of the SaaS Services that is known or suspected by Customer or any user, and (c) not provide false identity information to gain access to or use the SaaS Services.
User Access. Customer shall be solely responsible for the acts and omissions of its Company Users. Carehandler shall not be liable for any loss of data or functionality caused directly or indirectly by the Company Users.
Customer Input. Customer is solely responsible for collecting, inputting and updating all Customer Content stored on the Host, and for ensuring that the Customer Content does not (i) include anything that actually or potentially infringes or misappropriates the copyright, trade secret, trademark or other intellectual property right of any third party, or (ii) contain anything that is obscene, defamatory, harassing, offensive or malicious. Customer shall: (i)notify Carehandler immediately of any unauthorized use of any password or user id or any other known or suspected breach of security, (ii) report to Carehandler immediately and use reasonable efforts to stop any unauthorized use of the Service that is known or suspected by Customer or any Identity Cube user, and (iii) not provide false identity information to gain access to or use the Service.
License from Customer. Subject to the terms and conditions of this SaaS Agreement, Customer shall grant to Carehandler a limited, non-exclusive and non-transferable license, to copy, store, configure, perform, display and transmit Customer Content solely as necessary to provide the SaaS Services to Customer.
Ownership and Restrictions. Customer retains ownership and intellectual property rights in and to its Customer Content and data. Customer data may be obtained either through the provided channels or a full data export may be provided upon request. If a full data export is required at the time of termination, Customer must submit a request for the data at the time of termination. Charges to the Customer may apply if full data exports are requested within sixty(60) days of a previous request.
Carehandler or its licensors retain all ownership and intellectual property rights to the services, Software programs, and anything developed and delivered under the Agreement. Third party technology that may be appropriate or necessary for use with some Carehandler programs is specified in the program Documentation or ordering document as applicable. Customer’s right to use such third party technology is governed by the terms of the third party technology license agreement specified by Carehandler and not under the Agreement.
Suggestions. Carehandler shall have a royalty-free, worldwide, irrevocable, perpetual license to use and incorporate into the SaaS Services any suggestions, enhancement requests, recommendation or other feedback provided by Customer, including Users, relating to the operation of the SaaS Services.
Orders and Payment
Orders. Customer shall order SaaS Services pursuant to a Schedule. All services acquired by Customer shall be governed exclusively by this SaaS Agreement and the applicable Schedule. In the event of a conflict between the terms of a Schedule and this SaaS Agreement, the terms of the Schedule shall take precedence.
Invoicing and Payment. Unless otherwise provided in the Schedule, Carehandler shall invoice Customer for all fees on the Schedule effective date. Customer shall pay all undisputed invoices within 30 days after Customer receives the invoice. Except as expressly provided otherwise, fees are non-refundable. All fees are stated in United States Dollars, and must be paid by Customer to Carehandler in United States Dollars.
Expenses. Customer will reimburse Carehandler for its reasonable, out-of-pocket travel and related expenses incurred in performing the Other Services. Carehandler shall notify Customer prior to incurring any such expense. Carehandler shall comply with Customer’s travel and expense policy if made available to Carehandler prior to the required travel.
Taxes. Carehandler shall bill Customer for applicable taxes as a separate line item on each invoice. Customer shall be responsible for payment of all sales and use taxes, value added taxes (VAT), or similar charges relating to Customer’s purchase and use of the services. Customer shall not be liable for taxes based on Carehandler’s net income, capital or corporate franchise.
Data Retention and Destruction
Document Destruction. Any hardcopy documents containing Confidential Information shall be destroyed by shredding in accordance with the Company’s general record retention policy at the later of either (i) the time when the information is no longer necessary for the purpose for which it was created, obtained, used or disclosed; or (ii) the end of the six (6) year document retention period mandated by HIPAA.
Data Retention. All data with in the SaaS Services will be maintained in accordance with HIPAA as described below for a minimum of six (6) years. Monthly backups of the data used by SaaS Services will be stored for six (6) years. Any ePHI that is not part of the SaaS Services and received digitally will be deleted permanently once there is no use for the data or at the time of Termination.
Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of this agreement, Carehandler shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this agreement, then Carehandler shall extend the protections of the BAA, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information. A Data Destruction Certificate will be issued to the Customer once the removal has been completed from the active SaaS database.
Terms And Termination
Term of SaaS Agreement. The term of this SaaS Agreement shall begin on the Effective Date and shall continue until terminated by either party as outlined in this Section.
Termination. Either party may terminate this SaaS Agreement immediately upon a material breach by the other party that has not been cured within thirty (30) days after receipt of notice of such breach.
Suspension for Non-Payment. Carehandler reserves the right to suspend delivery of the SaaS Services if Customer fails to timely pay any undisputed amounts due to Carehandler under this SaaS Agreement, but only after Carehandler notifies Customer of such failure and such failure continues for fifteen (15) days. Suspension of the SaaS Services shall not release Customer of its payment obligations under this SaaS Agreement. Customer agrees that Carehandler shall not be liable to Customer or to any third party for any liabilities, claims or expenses arising from or relating to suspension of the SaaS Services resulting from Customer’s nonpayment.
Suspension for Ongoing Harm. Carehandler reserves the right to suspend delivery of the SaaS Services if Carehandler reasonably concludes that Customer or an Identity Cube user’s use of the SaaS Services is causing immediate and ongoing harm to Carehandler or others. In the extraordinary case that Carehandler must suspend delivery of the SaaS Services, Carehandler shall immediately notify Customer of the suspension and the parties shall diligently attempt to resolve the issue. Carehandler shall not be liable to Customer or to any third party for any liabilities, claims or expenses arising from or relating to any suspension of the SaaS Services in accordance with this Section Suspension for Ongoing Harm. Nothing in this Section will limit Carehandler’s rights under Section Effect of Termination below.
Effect of Termination.
(a) Upon termination of this SaaS Agreement or expiration of the Subscription Term, Carehandler shall immediately cease providing the SaaS Services and all usage rights granted under this SaaS Agreement shall terminate.
(b) If Carehandler terminates this SaaS Agreement due to a breach by Customer, then Customer shall immediately pay to Carehandler all amounts then due under this SaaS Agreement and to become due during the remaining term of this SaaS Agreement, but for such termination. If Customer terminates this SaaS Agreement due to a breach by Carehandler, then Carehandler shall immediately repay to Customer all pre-paid amounts for any unperformed SaaS Services scheduled to be delivered after the termination date.
(c) Upon termination of this SaaS Agreement and upon subsequent written request by the disclosing party, the receiving party of tangible Confidential Information shall immediately return such information or destroy such information and provide written certification of such destruction, provided that the receiving party may permit its legal counsel to retain one archival copy of such information in the event of a subsequent dispute between the parties.
Service Level Agreement
The Service Level Agreement (“SLA”) for the SaaS is set forth in Exhibit A hereto. The SLA sets forth Customer’s sole remedies for availability or quality of the SaaS including any failure to meet any guarantee set forth in the SLA.
Warranty. Carehandler represents and warrants that it will provide the SaaS Services in a professional manner consistent with general industry standards and that the SaaS Services will perform substantially in accordance with the Documentation. For any breach of a warranty, Customer’s exclusive remedy shall be as provided in Section, Term and Termination.
8.2 CAREHANDLER WARRANTS THAT THE SAAS SERVICES WILL PERFORM IN ALL MATERIAL RESPECTS IN ACCORDANCE WITH THE DOCUMENTATION. CAREHANDLER DOES NOT GUARANTEE THAT THE SAAS SERVICES WILL BE PERFORMED ERROR-FREE OR UNINTERRUPTED, OR THAT CAREHANDLER WILL CORRECT ALL SAAS SERVICES ERRORS. CUSTOMER ACKNOWLEDGES THAT CAREHANDLER DOES NOT CONTROL THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES, INCLUDING THE INTERNET, AND THAT THE SAAS SERVICE MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES.THIS SECTION SETS FORTH THE SOLE AND EXCLUSIVE WARRANTY GIVEN BY CAREHANDLER (EXPRESS OR IMPLIED) WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT. NEITHER CAREHANDLER NOR ANY OF ITS LICENSORS OR OTHER SUPPLIERS WARRANT OR GUARANTEE THAT THE OPERATION OF THE SUBSCRIPTION SERVICE WILL BE UNINTERRUPTED, VIRUS-FREE OR ERROR-FREE, NOR SHALL CAREHANDLER OR ANY OF ITS SERVICE PROVIDERS BE LIABLE FOR UNAUTHORIZED ALTERATION, THEFT OR DESTRUCTION OF CUSTOMER’S OR ANY USER’S DATA, FILES, OR PROGRAMS.
Limitations of Liability
NEITHER PARTY (NOR ANY LICENSOR OR OTHER SUPPLIER OF CAREHANDLER) SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST BUSINESS, PROFITS, DATA OR USE OF ANY SERVICE, INCURRED BY EITHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS SAAS AGREEMENT, REGARDLESS OF THE NATURE OF THE CLAIM (INCLUDING NEGLIGENCE), EVEN IF FORESEEABLE OR THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NEITHER PARTY’S AGGREGATE LIABILITY FOR DAMAGES UNDER THIS SAAS AGREEMENT, REGARDLESS OF THE NATURE OF THE CLAIM (INCLUDING NEGLIGENCE), SHALL EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER UNDER THIS SAAS AGREEMENT DURING THE 12 MONTHS PRECEDING THE DATE THE CLAIM AROSE. The foregoing limitations shall not apply to the parties’ obligations (or any breach thereof) under Sections entitled “Restriction”, “Indemnification”, or “Confidentiality”.
Indemnification by Carehandler. If a third party makes a claim against Customer that the SaaS Services infringes any patent, copyright or trademark, or misappropriates any trade secret, or that Carehandler’s negligence or willful misconduct has caused bodily injury or death, Carehandler shall defend Customer and its directors, officers and employees against the claim at Carehandler’s expense and Carehandler shall pay all losses, damages and expenses (including reasonable attorneys’ fees) finally awarded against such parties or agreed to in a written settlement agreement signed by Carehandler , to the extent arising from the claim. Carehandler shall have no liability for any claim based on (a) the Customer Content, (b) modification of the SaaS Services not authorized by Carehandler, or (c) use of the SaaS Services other than in accordance with the Documentation and this SaaS Agreement. Carehandler may, at its sole option and expense, procure for Customer the right to continue use of the SaaS Services, modify the SaaS Services in a manner that does not materially impair the functionality, or terminate the Subscription Term and repay to Customer any amount paid by Customer with respect to the Subscription Term following the termination date.
Indemnification by Customer. If a third party makes a claim against Carehandler that the Customer Content infringes any patent, copyright or trademark, or misappropriates any trade secret, Customer shall defend Carehandler and its directors, officers and employees against the claim at Customer’s expense and Customer shall pay all losses, damages and expenses (including reasonable attorneys’ fees) finally awarded against such parties or agreed to in a written settlement agreement signed by Customer, to the extent arising from the claim.
Conditions for Indemnification. A party seeking indemnification under this section shall (a) promptly notify the other party of the claim, (b) give the other party sole control of the defense and settlement of the claim, and (c)provide, at the other party’s expense for out-of-pocket expenses, the assistance, information and authority reasonably requested by the other party in the defense and settlement of the claim.
Definition. “Confidential Information” means any information disclosed by a party to the other party, directly or indirectly, which, (a) if in written, graphic, machine-readable or other tangible form, is marked as “confidential” or “proprietary,” (b) if disclosed orally or by demonstration, is identified at the time of initial disclosure as confidential and is confirmed in writing to the receiving party to be “confidential” or “proprietary” within 30 days of such disclosure, (c) is specifically deemed to be confidential by the terms of this SaaS Agreement, or (d) reasonably appears to be confidential or proprietary because of the circumstances of disclosure and the nature of the information itself. Confidential Information will also include information disclosed by third parties to a disclosing party under an obligation of confidentiality. Subject to the display of Customer Content as contemplated by this SaaS Agreement, Customer Content is deemed Confidential Information of Customer. Carehandler software and Documentation are deemed Confidential Information of Carehandler.
Confidentiality. During the term of this SaaS Agreement and for 5 years thereafter (perpetually in the case of software), each party shall treat as confidential all Confidential Information of the other party, shall not use such Confidential Information except to exercise its rights and perform its obligations under this SaaS Agreement, and shall not disclose such Confidential Information to any third party. Without limiting the foregoing, each party shall use at least the same degree of care, but not less than a reasonable degree of care, it uses to prevent the disclosure of its own confidential information to prevent the disclosure of Confidential Information of the other party. Each party shall promptly notify the other party of any actual or suspected misuse or unauthorized disclosure of the other party’s Confidential Information. Neither party shall reverse engineer, disassemble or decompile any prototypes, software or other tangible objects which embody the other party’s Confidential Information and which are provided to the party hereunder. Each party may disclose Confidential Information of the other party on a need-to-know basis to its contractors who are subject to confidentiality agreements requiring them to maintain such information in confidence and use it only to facilitate the performance of their services on behalf of the receiving party.
Exceptions. Confidential Information excludes information that: (a) is known publicly at the time of the disclosure or becomes known publicly after disclosure through no fault of the receiving party, (b) is known to the receiving party, without restriction, at the time of disclosure or becomes known to the receiving party, without restriction, from a source other than the disclosing party not bound by confidentiality obligations to the disclosing party, or (c) is independently developed by the receiving party without use of the Confidential Information as demonstrated by the written records of the receiving party. The receiving party may disclose Confidential Information of the other party to the extent such disclosure is required by law or order of a court or other governmental authority, provided that the receiving party shall use reasonable efforts to promptly notify the other party prior to such disclosure to enable the disclosing party to seek a protective order or otherwise prevent or restrict such disclosure. Each party may disclose the existence of this SaaS Agreement and the relationship of the parties, but agrees that the specific terms of this SaaS Agreement will be treated as Confidential Information; provided, however, that each party may disclose the terms of this SaaS Agreement to those with a need to know and under a duty of confidentiality such as accountants, lawyers, bankers and investors.
Exhibit A: Service Level Agreement
All SaaS Services will achieve System Availability (as defined below) of at least 97% during each calendar year of the Subscription Term. “System Availability” means the number of minutes in a year that the key components of the SaaS Services are operational as a percentage of the total number of minutes in such year, excluding downtime resulting from (a) scheduled maintenance, (b) events of Force Majeure in the SaaS Agreement), (c) malicious attacks on the system, (d) issues associated with the Customer’s computing devices, local area networks or internet service provider connections, or (e) inability to deliver services because of acts or omissions of Customer or any Customer user. Carehandler reserves the right to take the Service offline for scheduled maintenance for which Customer has been provided reasonable notice and Carehandler reserves the right to change its maintenance window upon prior notice to Customer.
If Carehandler fails to meet System Availability in the year, upon written request by Customer within 30 days after the end of the year, Carehandler will issue a credit in Customer’s next invoice in an amount equal to 1% of the yearly fee for the affected SaaS Services for each 1% loss of System Availability below stated SLA per SaaS Service, up to a maximum of the Customer’s fee for the affected SaaS Services. If the yearly fee has been paid in advance, then at Customer’s election Carehandler shall provide a credit to Customer to be used for subsequent Subscription License fees or term extension. The remedy stated in this paragraph is Customer’s sole and exclusive remedy for interruption of SaaS Services and Carehandler’s failure to meet System Availability.
https://carehandler.com Customer Support offers several ways to resolve any technical difficulties. Support can be reached in the following ways:
- Emailing firstname.lastname@example.org or email@example.com
- Call or text 208-495-4115
- Direct chat found on https://carehandler.com
- Submitting a support ticket at https://carehandler.com/support
Exhibit B: BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “Agreement”) is entered into as of the Effective Date, by and between Customer (“Covered Entity”) and Carehandler (“Business Associate”). Covered Entity and Business Associate, collectively, may be referred to herein as the “Parties”.
1.1 Covered Entity and Business Associate enter into this Agreement to comply with the requirements of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164, as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”), as amended, and other applicable federal and state laws (collectively the “HIPAA Rules”).
1.2 This Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for certain individually identifiable Protected Health Information relating to patients of Covered Entity (“PHI” as that term is defined below) that Business Associate may receive, create, maintain, use or disclose in connection with certain functions, activities and services that Business Associate performs for Covered Entity. The functions, activities and services that Business Associate performs for Covered Entity are defined in one or more agreements between the Parties (the “Underlying Agreements”).
2.1 Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules, which definitions are incorporated in this Agreement by reference
2.2 For purposes of this Agreement:
2.2.1 “Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, as applied to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity
2.2.2 “Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.2.3 “Protected Health Information” or “PHI” shall have the meaning given to such term in 45 C.F.R. 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
2.2.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information published in 45 C.F.R. Parts 160 and 164, Subparts A and E.
2.2.5 “Required by Law” shall have the meaning given to such term in 45 C.F.R. 164.103.
2.2.6 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2.2.7 “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Use and Disclosure. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law. To the extent Business Associate is carrying out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement or this Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
3.2 Appropriate Safeguards. Business Associate shall use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement or as Required by Law.
3.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this Agreement’s requirements or that would otherwise cause a Breach of Unsecured PHI.
3.4 Breach Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
3.5 Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of the Business Associate for services provided to Covered Entity, which provides that the agent agrees to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information
3.6 Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set to the Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.7 Minimum Necessary Requirement. Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. § 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
3.8 Amendment of PHI. Business Associate agrees to make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526. If an Individual makes a request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.9 Accounting of Disclosures. Business Associate shall provide to Covered Entity information collected in accordance with Section 3.11 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.10 Access to Policies and Records. Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of Covered Entity or the Secretary determining compliance with the HIPAA Rules.
3.11 Documentation of Disclosures. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure, and (v) any additional information required under the HITECH Act and any implementing regulations.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
4.1 General Uses and Disclosures. Business Associate agrees to receive, create, use or disclose PHI only as permitted by this Agreement, the HIPAA Rules, and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule if done by Covered Entity, except as set forth in this Article 4.
4.2 Business Associate may use or disclose PHI as Required By Law.
4.3 Except as otherwise provided in this Agreement, Business Associate may:
4.3.1 Use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities.
4.3.2 Disclose PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains prior written reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, in accordance with the breach notification requirements of this Agreement.
4.3.3 Use PHI to provide Data Aggregation Services to Covered Entity as permitted under the HIPAA Rules.
OBLIGATIONS OF COVERED ENTITY
5.1 Covered Entity shall:
5.1.1 Notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
5.1.2 Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.1.3 Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose his or her PHI, to the extent that such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI.
5.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Covered Entity, except as provided under Article 4 of this Agreement.
TERM AND TERMINATION
6.1 Term. This Agreement shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
6.1.1 Either party terminates for cause as authorized under Section 6.2.
6.1.2 All PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is determined, to be infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 6.3.
6.2 Termination for Cause. Upon Covered Entity’s knowledge of material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within the timeframe specified by Covered Entity, or if a material term of this Agreement has been breached and a cure is not possible, Covered Entity may terminate this Agreement and the Underlying Agreement(s), if any, upon written notice to Business Associate.
6.3 Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
6.3.1 Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
6.3.2 Return to Covered Entity or, if agreed to by Covered Entity in writing, destroy the remaining PHI that the Business Associate still maintains in any form;
6.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 6, for as long as Business Associate retains the PHI;
6.3.4 Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI;
6.3.5 Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
7.1 Amendment. The Parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the HIPAA Rules and any other applicable law.
7.2 Survival. The respective rights and obligations of Business Associate under Article 6 of this Agreement shall survive the termination of this Agreement.
7.3 Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or amended.
7.4 Interpretation. This Agreement shall be interpreted in the following manner:.
7.4.1 Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
7.4.2 Any inconsistency between the Agreement’s provisions and the HIPAA Rules, including all amendments, as interpreted by the Department of Health and Human Services, court or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the Department of Health and Human Services, the court or the regulatory agency.
7.4.3 Any provision of this Agreement that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
7.5 Entire Agreement, Severability. This Agreement constitutes the entire agreement between the Parties related to the subject matter of this Agreement, except to the extent that the Underlying Agreement(s), if any, impose more stringent requirements related to the use and protection of PHI upon Business Associate. This Agreement supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
7.6 Assignment. This Agreement will be binding on the successors and assigns of Covered Entity and Business Associate. However, this Agreement may not be assigned by Business Associate, in whole or in part, without the written consent of Covered Entity. Any attempted assignment in violation of this provision shall be null and void.
7.7 Multiple Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
7.8 Governing Law. Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state in which the Covered Entity’s principal place of business is located.