This Master Agreement (the “Agreement”) governs those certain Purchase Schedules by and between you (“CUSTOMER”) and Net Health Systems, Inc.
(a) Use and Access of Software. Subject to the terms, conditions and limitations set forth in this Agreement, CUSTOMER shall have the non-exclusive, non-transferable right to use and access the software more fully described in the applicable Purchase Schedule(s) (the “Software”) for the term set forth therein, and to receive other related services, if any, supplied by Net Health hereunder for use by the designated sites and healthcare providers/users (each an “Authorized Site/Provider,”) set forth in the applicable Purchase Schedule.
(b) Limitations. Except as otherwise expressly set forth herein, CUSTOMER receives no right to copy, distribute, disseminate, modify, reverse engineer or license/sublicense the Software or any of component thereof. Payment of the Fees (as defined in Section 5) or any portion thereof does not entitle CUSTOMER, or any of its affiliates, independent contractors, or agents, to use the Software at any location other than an Authorized Site. Subject to the foregoing restrictions and the confidentiality obligations contained in this Agreement, CUSTOMER’S affiliates and those agents and subcontractors of CUSTOMER that have agreed in writing to abide by the terms and conditions of this Agreement may access and/or use the Software solely for CUSTOMER’S benefit hereunder. CUSTOMER at all times shall be responsible and liable to Net Health for any use of the Software by such affiliates, agents or subcontractors.
(c) Title & Ownership of Rights. Title to the Software and all additional programs (including without limitation, reports) developed by Net Health for CUSTOMER hereunder, and all copies thereof are proprietary to Net Health and title thereto remains with Net Health. In addition, CUSTOMER acknowledges that Net Health is the owner of all right, title and interest in the Software and in any derivative works of and improvements upon Software, regardless of any assistance or involvement by agents or employees of CUSTOMER in any such improvements or derivatives.
(d) Denial of Access. CUSTOMER shall be solely responsible to Net Health for the observance and compliance with all terms and conditions of this Agreement by its Authorized Sites/Providers and/or any third party who has been permitted access to the Software as a result of its action or inaction, whether or not such third party is actually permitted to have such access under the terms of this Agreement. Net Health reserves the right to immediately deny, suspend, or terminate CUSTOMER’s access to and use of the Software without notice if Net Health reasonably believes any action or omission of CUSTOMER or its Authorized Sites/Providers threatens (i) to breach this Agreement; (ii) the operation, integrity, confidentiality, or security of the Software; (iii) the use of the Software by Net Health or Net Health’s other customers; or (iv) to violate applicable law or cause other potential liability or security risk to Net Health.
(a) Net Health agrees to build, as applicable, the interface(s) described in the applicable Purchase Schedule (the “Interface(s)”), if any. All Interfaces are subject to Net Health’s standard applicable Interface specifications. Requests to deviate from Net Health’s standard applicable Interface specifications will be subject to additional development Fees.
3. Consulting Services
- (a) Consulting Services. CUSTOMER agrees to accept, and Net Health agrees to provide certain personnel to perform consulting services (“Consulting Services”), if applicable, subject to the terms of this Agreement and as set forth on the applicable Purchase Schedule. Consulting Services may be performed via telephone and other forms of remote correspondence, and may include on-site meetings with CUSTOMER, as further specified in each Purchase Schedule.
- (b) Independent Contractor/Relationship of the Parties. In connection with Net Health’s performance of any Consulting Services, Net Health and each person provided by Net Health to CUSTOMER hereunder shall act solely as an independent contractor and nothing herein contained shall at any time be so construed as to create a relationship of employer and employee, partnership, principal and agent, or joint venture as between CUSTOMER and Net Health or between CUSTOMER and any person provided by Net Health to CUSTOMER hereunder. CUSTOMER will report the amounts paid to Net Health in accordance with applicable tax laws.
4. Term and Termination
(a) General. The term of this Agreement (“Term”) shall commence on the date of the initial Purchase Schedule and shall remain in effect for the balance of any Purchase Schedule Term, subject to earlier termination in accordance with this Agreement.
(b) Purchase Schedule Term. The initial term for each Purchase Schedule shall be as stated in the applicable Purchase Schedule (the “Purchase Schedule Initial Term”). Upon the expiration of the Purchase Schedule Initial Term, unless otherwise provided in the Purchase Schedule, the term shall automatically renew for successive one (1) year terms commencing on the day after the expiration of the then current Term (each a “Purchase Schedule Renewal Term” and together with the Purchase Schedule Initial Term, the “Purchase Schedule Term”) at the Fees set forth in Section 5(b) of this Agreement, unless either party elects to terminate the applicable Purchase Schedule at the end of the Purchase Schedule Initial Term or a Purchase Schedule Renewal Term by giving the other party written notice of such election at least ninety (90) days before the expiration of the then-current Purchase Schedule Term.
(c) Termination. If CUSTOMER commits a material breach of this Agreement, or Purchase Schedule, and persists in such failure for a period of thirty (30) days after receiving written notice thereof from Net Health, Net Health may terminate this Agreement, or Purchase Schedule, as applicable, upon written notice to CUSTOMER and CUSTOMER shall pay all remaining Fees from the date of termination to the end of the current Term. If Net Health commits a material breach of this Agreement, or Purchase Schedule, and persists in such failure for a period of thirty (30) days after receiving written notice thereof from CUSTOMER, CUSTOMER may terminate this Agreement, or Purchase Schedule, as applicable.
(a) General. In consideration of the Software, Interface(s) Consulting Services, or other services provided by Net Health pursuant to this Agreement, CUSTOMER shall pay to Net Health the amounts provided for in the applicable Purchase Schedule (the “Fee(s)”) and in accordance with the payment terms set forth in this Agreement and in the applicable Purchase Schedule(s).
(b) Renewal & Third-Party Fees; Increases. For any Renewal Term for either Software, Interfaces and/or maintenance and support fees in connection therewith, the Fees shall be Net Health’s then-current Fees. Net Health may increase Fees at any time in an amount equal to any charges imposed by third parties for any third party components used in connection with the applicable Software, or Interfaces. In addition, Net Health reserves the right to increase Fees at any time; provided; however, any such increase shall not occur more than once in any given twelve month period and any such increase shall be capped at the greater of (i) the increase in Consumer Price Index for all Urban Consumers during the prior twelve month period; or (ii) seven percent.
(c) Set Up and Training Fees, Expenses. Unless otherwise provided in the applicable Purchase Schedule, CUSTOMER shall pay to Net Health a one-time fee stated in the Purchase Schedule for setup of the Software and training for the applicable Authorized Site. Unless otherwise indicated on the applicable Purchase Schedule, all training and implementation will be performed remotely. If CUSTOMER chooses any Saturday or Sunday training, it will cost an additional $500.00 per day payable to Net Health. All training hours included on or referenced in a Purchase Schedule expire nine (9) months from the applicable Purchase Schedule Effective Date. If CUSTOMER cancels or reschedules training less than fifteen (15) days prior to the scheduled date of such training, the CUSTOMER will be charged the greater of (i) a $2500.00 fee with respect to each such cancelled or rescheduled training, or (ii) an amount equal to the monthly Fees for the applicable Software during the length of any such delay in training. CUSTOMER shall also reimburse Net Health for all expenses incurred by Net Health in providing the training, including, but not limited to, travel, airfare, hotel, mileage, transportation, meals, etc. (to the extent such expenses are acceptable under Net Health’s Travel Policy). Expenses will be invoiced as incurred and payment is due upon receipt.
(d) Taxes Not Included. To the extent applicable, the Fees listed in any Purchase Schedule do not include taxes, duties, or other fees, and CUSTOMER shall reimburse Net Health for all such taxes appropriately assessed and paid related to any Software or services provided pursuant to this Agreement, except for those taxes based on Net Health’s net income.
(e) Late Payment. If any of the Fees are not paid to Net Health by CUSTOMER when due, then the Software, Consulting Services and Interfaces may not become available to CUSTOMER until such Fees are paid in full. Payments not made when due will be subject to interest charges at a rate equal to the lesser of one and one-half percent (1.50%) per month, or the maximum rate allowable by law and will accrue monthly on all outstanding balances until paid. CUSTOMER shall be responsible for paying all costs of collection, including reasonable attorneys’ fees, and where lawful, collection agency fees. If payment is not received within sixty (60) days of such payment due date, any and all warranties provided pursuant to the terms of this Agreement shall be voided, and any support and implementation services provided to CUSTOMER pursuant to the terms of this Agreement will be suspended until payment is received. Furthermore, CUSTOMER is aware that in the event CUSTOMER fails to pay all amounts due to Net Health in accordance with the terms and conditions of this Agreement, Net Health will provide CUSTOMER with a copy of its data in a comma delimited file, and CUSTOMER’S access to the Software will be disabled. CUSTOMER ACKNOWLEDGES AND AGREES THAT NET HEALTH SHALL NOT BE LIABLE FOR ANY LOSSES OF TIME, OR FOR ANY OTHER DAMAGES THAT MAY RESULT IN ANY WAY FROM THE DISABLING OF ACCESS TO THE SOFTWARE PURSUANT TO THIS SECTION. Warranties, support, and implementation services, if any and as applicable, shall be fully reinstated when CUSTOMER’S payment is received in full. Except for termination by CUSTOMER in accordance with this Agreement, all payment obligations under this Agreement are non-cancelable and non-refundable. In addition to disabling access to the Software, Net Health reserves the right to pursue all remedies as may be available to it at law or in equity.
(f) Monthly Audits. To the extent CUSTOMER is utilizing Software being provided on a usage or Authorized Provider basis, Net Health reserves the right to conduct monthly audits of CUSTOMER’s usage and/or Authorized Providers to determine usage for the applicable month and/or whether any additional Authorized Providers (each an “Additional Authorized Provider”) have been added or removed by CUSTOMER during such month and Net Health shall adjust CUSTOMER’s monthly invoice accordingly; provided, however, under no circumstances may CUSTOMER reduce the total number of Authorized Providers below the number set forth on the applicable Purchase Schedule. CUSTOMER shall fully cooperate with Net Health in the performance of its monthly audits, including, but not limited to, providing information and assistance as requested by Net Health. Additional Authorized Providers shall be subject to Net Health’s then-current Fees and shall be payable in accordance with the applicable Purchase Schedule and the Agreement. Monthly Fees for each Additional Authorized Provider added shall commence in the month in which the Additional Authorized Provider is added by CUSTOMER and shall end in the month following CUSTOMER’s removal of the applicable Additional Authorized Provider. Monthly Fees are not subject to proration based upon the date of the month in which the Additional Authorized User is added or removed.
6. Customer Responsibilities
(a) CUSTOMER shall be responsible for the following, unless otherwise set forth in the applicable Purchase Schedule: adherence to specified system requirements; running and maintaining all computer network and internet connections necessary for CUSTOMER to use the Software; and all data conversion (if applicable).
(b) CUSTOMER will participate fully in the implementation of the Software, including attending training sessions, performing applicable file builds, and complying with other reasonable Net Health instructions regarding the implementation. In no event shall CUSTOMER delay the start of implementation of the applicable Software beyond the applicable Billing Start Date (as set forth in the applicable Purchase Schedule).
(c) Net Health will not be responsible for any issues resulting from CUSTOMER’S failure to comply with the parties’ mutually agreed upon plan for implementing the Software.
(d) CUSTOMER will fully cooperate with Net Health in its performance of the Consulting Services, if applicable, and will at all times provide Net Health with at least one reliable point of contact for purposes of overseeing the Consulting Services. CUSTOMER contact shall possess the skill, knowledge, and/or experience necessary to oversee, engage and understand the Consulting Services.
(e) CUSTOMER will fully evaluate the adequacy and applicability of the advice and practices provided by Net Health to CUSTOMER during the Consulting Services, if applicable, prior to CUSTOMER adopting or implementing the advice or practices into its business and operations.
(f) CUSTOMER assumes all responsibility and liability for the results of its adoption and implementation of the advice and practices provided by Net Health during the Consulting Services, if applicable.
(g) CUSTOMER acknowledges that the Software may use, incorporate or access Third Party Products, or that CUSTOMER may use, incorporate or access Third Party Products in conjunction with CUSTOMER’s use of the Software, or any other product or service provided to CUSTOMER by Net Health. To the extent that CUSTOMER uses, incorporates or accesses any Third Party Products that are provided by Net Health to CUSTOMER, CUSTOMER acknowledges that continued usage of such Third Party Product(s) is contingent on Net Health’s continued relationship with such Third Party Product vendor and that such use may be subject to additional terms and conditions of the applicable Third Party Product vendor. To the extent CUSTOMER uses, incorporates or accesses any Third Party Products that are not provided by Net Health to CUSTOMER, CUSTOMER represents it has obtained and covenants it will obtain the necessary rights or licenses from the applicable third party vendors to use such Third Party Products and agrees that Net Health shall not be liable for CUSTOMER’s failure to obtain such rights or licenses. Net Health makes no representation or warranty with respect to any such Third Party Products. Net Health shall not be liable for any damages, costs, or expenses, direct or indirect, arising out of the performance or failure to perform of Third Party Products. “Third Party Products” includes, but is not limited to, any product, technology, tool, database, software, works, coding scheme or other intellectual property developed or owned by a third party.
(h) CUSTOMER agrees that it shall use the Software solely in a manner that complies with this Agreement and all applicable laws.
(i) CUSTOMER acknowledges that the Software constitutes part of an information system to be used by CUSTOMER’s personnel as an aid to the organization of patient care. The Software is in no way intended, and the information contained therein is not to be used by any party in any way to replace the professional skill and judgment of physicians and other health care providers. The Software is not to be used to guide or determine care provided by physicians and other health care providers, nor as a substitute for an accurate patient medical record and/or sound medical judgment by the treating physician or other health care provider. CUSTOMER’s personnel and all healthcare providers are solely responsible for the care of their patients and for determining whether to rely on the data and information contained within the Software. Any reliance for any purpose directly or indirectly related to patient care cannot in any way be controlled by Net Health and CUSTOMER is responsible for verifying the accuracy and completeness of any medical or other similar information contained in, entered into, or used in connection with the Software.
(a) CUSTOMER acknowledges that the Software contains proprietary information of Net Health, and such information is deemed confidential/proprietary information, the disclosure of which is restricted by this section. CUSTOMER agrees to maintain the confidentiality of the Software in a manner using at least as great a degree of care as the manner used to maintain the confidentiality of CUSTOMER’S own confidential information. Unless otherwise permitted by this Agreement, CUSTOMER shall not disclose any of Net Health’s confidential or proprietary information to any third party without the prior written consent of Net Health. CUSTOMER further agrees that the confidentiality obligations contained herein shall apply to CUSTOMER’s agents and employees that utilize the Software, and that CUSTOMER is wholly responsible for its user’s compliance with this provision.
(b) CUSTOMER, its authorized affiliates, agents, and subcontractors shall not sell, transfer, publish, disclose, display, reverse engineer, or otherwise make available to others the Software or any other material relating to the Software. CUSTOMER shall protect the Software, and any other material relating to the Software, from unauthorized access and use, including using passwords made known only to CUSTOMER’S employees who use the Software as a regular part of their employment and giving its employees written notification of the requirements of this section. CUSTOMER shall advise Net Health immediately if CUSTOMER learns or has reason to believe that any of CUSTOMER’S employees, agents, independent contractors, or affiliates has violated or intends to violate the terms of this section, and CUSTOMER will cooperate with Net Health in seeking injunctive or other equitable relief against any such person including giving Net Health access to all relevant documents and the opportunity to interview CUSTOMER’S employees.
8. Use of De-Identified Data.
In further consideration of the CUSTOMER’s use and access of the Software, Net Health may use in its business, on a perpetual, irrevocable basis, without obligation to CUSTOMER, de-identified patient data and information that is collected and uploaded to the Software including, but not limited to, patients’ gender, age, medical histories and treatment (collectively, the “Data”). Under no circumstances shall Net Health use or disclose personal health information except in the de-identified form as described above and in compliance with HIPAA.
Following execution of this Agreement and during the Term hereof, Net Health shall be permitted to utilize CUSTOMER’S name and logo in marketing materials, customer lists, and in press releases noting that CUSTOMER is an Net Health customer.
10. Warranty Disclaimer; Limitation Of Liability.
(a) THE SOFTWARE IS INTENDED TO BE USED IN THE CONTEXT OF CERTAIN HEALTHCARE SETTINGS. WHEN USED IN SUCH SETTINGS, CUSTOMER AND ITS AUTHORIZED PROVIDERS ARE ULTIMATELY RESPONSIBLE FOR FOLLOWING ALL APPLICABLE MEDICAL PROTOCOLS AND POLICIES AND FOR ANY MEDICAL CARE AND HEALTHCARE SERVICES RENDERED TO INDIVIDUALS. ANY GUIDANCE PROVIDED OR SUGGESTED BY NET HEALTH, THROUGH THE SOFTWARE OR OTHERWISE, THAT MAY BE INTERPRETED AS RELATING TO MEDICAL PROTOCOLS AND POLICIES OR THE MEDICAL CARE OR HEALTHCARE SERVICES RENDERED TO INDIVIDUALS IS PURELY ADVISORY IN NATURE AND SHOULD NOT BE SUBSTITUTED FOR A HEALTHCARE PROVIDER’S PROFESSIONAL JUDGMENT. NET HEALTH DOES NOT WARRANT THAT THE SOFTWARE CAN OR WILL DIAGNOSE ANY MEDICAL CONDITION, DETECT RISK FACTORS RELEVANT TO ANY MEDICAL CONDITION; OR PROVIDE ANY TREATMENT DECISIONS OR RECOMMENDATIONS RELATED TO A MEDICAL CONDITION. NET HEALTH DISCLAIMS, AND CUSTOMER RELEASES NET HEALTH FROM, ANY AND ALL LIABILITY RELATING TO PERSONAL INJURY, MEDICAL MALPRACTICE, OR OTHER CLAIMS RELATING TO ADHERENCE TO APPLICABLE MEDICAL PROTOCOLS AND POLICIES AND MEDICAL CARE AND HEALTHCARE SERVICES RENDERED TO INDIVIDUALS. THE WARRANTIES PROVIDED IN THIS AGREEMENT ARE THE SOLE AND EXCLUSIVE WARRANTIES OFFERED BY NET HEALTH. NET HEALTH MAKES AND CUSTOMER RECEIVES NO OTHER WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS AGREEMENT OR ANY OTHER COMMUNICATION, REGARDING THE SOFTWARE OR ANY MAINTENANCE OR SUPPORT SERVICES RELATED THERETO, DEVELOPMENT, INTERFACES OR CONSULTING SERVICES AND NET HEALTH SPECIFICALLY DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
(b) In no event shall Net Health be liable to CUSTOMER for any loss of profits; any incidental, special, exemplary, or consequential damages; or any claims or demands brought against CUSTOMER, even if Net Health has been advised of the possibility of such damages. Net Health’s total liability with respect to all causes of action together will not exceed the total amount of Fees paid by CUSTOMER to Net Health under the applicable Purchase Schedule in the twelve (12) months before such claim arose.
11. Governing Law and Jurisdiction.
This Agreement and all Purchase Schedules and other exhibits hereto shall be governed and construed in all respects in accordance with the laws of the Commonwealth of Pennsylvania without regard to any conflict of laws principles. Any disputes arising out of this Agreement will be subject to the exclusive jurisdiction of the state and federal courts located in Allegheny County, Pennsylvania, each party hereby consents to the jurisdiction of such courts, and neither party shall bring any action hereunder in any other court.
Any exhibit appended to this Agreement is hereby incorporated herein by reference.
13. Force Majeure.
Net Health shall not be liable for breach of this Agreement, or any Purchase Schedule, caused by circumstances beyond Net Health’s reasonable control.
All notices required by this Agreement shall be in writing and shall be delivered by hand, United States Postal Service certified mail, or overnight courier to the other party at such party’s address set forth in the opening paragraph of this Agreement, or to such other address as each party may designate in writing.
This Agreement, the Purchase Schedules and the Business Associate Agreement, constitutes the entire agreement of the parties with respect to the subject matter contained herein, and supersedes all prior representations, proposals, discussions, and communications, whether oral or written. This Agreement may be modified from time to time by Net Health. Net Health will make best commercial efforts to notify CUSTOMER of any modification to this Agreement, such as, by e-mail and/or by posting on Net Health’s website. CUSTOMER’s continued use of the Software following any notification or posting of a modification to the Agreement shall mean CUSTOMER accepts such modification. The product specific terms located at www.nethealth.com/productspecificterms (to the extent applicable to the software, products or service reflected on a Purchase Schedule) are incorporated herein and shall apply to CUSTOMER’s use of such software, products or services.
Sections 1(c), 4, 5, 6, 7, 8, 10, 11 and this Section 16 shall survive any termination or expiration of this Agreement.
Business Associate Agreement
This Business Associate Agreement (“Agreement”) is entered into by and between Net Health Systems, Inc. (“Business Associate”) and you (“Covered Entity”). This Agreement sets out the responsibilities and obligations of Business Associate as a business associate of Covered Entity under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
A. Business Associate and Covered Entity have entered into a certain Purchase Schedule and Master Agreement (“Master Agreement”) under which Business Associate has agreed to provide Covered Entity with certain software and/or related services;
B. Business Associate and Covered Entity have mutual obligations under the Master Agreement that will require Business Associate and Covered Entity to use or disclose Covered Entity’s PHI of Individuals as that term is defined under HIPAA; and
C. This Agreement is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), so as to permit the Business Associate and Covered Entity to access, use and exchange PHI in a manner which complies with the provisions of HIPAA and the HITECH Act.
NOW, THEREFORE, in consideration of the foregoing, the agreements contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by the parties, Business Associate and Covered Entity agree as follows:
Section 1 – Definitions
1.1 Terms Defined in Regulation. Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms are defined in the Privacy Rule, the Security Rule, and the Breach Notification Rule promulgated pursuant to the HITECH Act, 45 C.F.R. 164.402.
1.2 Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record” in the HITECH Act, section 13400(5).
1.3 Electronic Protected Health Information. “Electronic Protected Health Information” (sometimes “ePHI”) shall have the same meaning as the term ‘electronic protected health information’ in 45 C.F.R. 160.103 limited to the information received from Covered Entity, or created, maintained or transmitted by Business Associate on behalf of Covered Entity.
1.4 Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R.160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
1.5 Protected Health Information. “Protected Health Information” (“PHI”) shall have the same meaning as the term “protected health information” in 45 C.F.R. 160.103, limited to the information received from Covered Entity, or created, maintained or transmitted by Business Associate on behalf of Covered Entity.
Section 2 – Obligations & Activities of Business Associate under the Privacy Rule
2.1 Business Associate agrees to comply with all applicable Use and Disclosure provisions of the Privacy Rule as directed under section 13404 of the HITECH Act. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
2.2 Business Associate agrees that any Use or Disclosure of PHI shall comply with the Privacy Rule, as applicable to Business Associate.
2.3 Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement, the Master Agreement, or as Required by Law. Business Associate shall only Use or Disclose only the Minimum Necessary amount of PHI necessary to accomplish the purpose of the Use or Disclosure, in accordance with any current or future guidance issued by the Department of Health and Human Services regarding the “minimum necessary” use or disclosure of PHI. Except as otherwise permitted under HIPAA, Covered Entity shall provide to Business Associate only the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
2.4 Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
2.5 Business Associate agrees to report to Covered Entity’s Privacy Official any Use or Disclosure of PHI for purposes other than those permitted by this Agreement and/or the Master Agreement of which it becomes aware.
2.6 Business Associate agrees to ensure that any agent or subcontractor to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to substantially the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
2.7 To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will make such PHI available to Covered Entity PHI in order for Covered Entity to meet the requirements under 45 C.F.R. 164.524. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of such request. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to an Individual pursuant to such a request. Business Associate will notify Covered Entity of any request (including subpoenas) that Business Associate receives for access to PHI that is within Business Associate’s custody, and Covered Entity will be responsible for providing an appropriate response.
2.8 To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will provide such PHI to Covered Entity for amendment. If an Individual makes a request for amendment directly to Business Associate, Business Associate will forward such request in writing to Covered Entity. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.
2.9 Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary, in a time and manner designated by the Secretary, as applicable, for purposes of determining Covered Entity’s compliance with HIPAA or the HITECH Act. No attorney-client, accountant-client or other legal privilege will be deemed waived by Business Associate or Covered Entity as a result of compliance with this Section.
2.10 Business Associate agrees to document such disclosures of PHI in its possession and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. At a minimum the following information regarding the disclosure will be documented: 1) the date of the disclosure; 2) the name of the entity or person who received the PHI, and the address of such entity or person; 3) a brief description of the PHI disclosed; 4) a brief statement regarding the purpose and an explanation of the basis of such disclosure; and 5) the names of the Individuals whose PHI was disclosed.
2.11 Business Associate agrees to provide to Covered Entity, upon written request, information collected in accordance with Section
2.10 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
2.12 To the extent that Covered Entity uses or maintains an Electronic Health Record that discloses any PHI to a third party, and/or to the extent Business Associate’s licensed software is deemed to be an Electronic Health Record that discloses any PHI to a third party, Business Associate agrees to cooperate with Covered Entity to ensure that, as of any applicable compliance date, such Electronic Health Record is capable of providing the information required by the then current provisions of the HITECH Act, or any regulations promulgated thereunder, for an accounting of disclosures of PHI through an Electronic Health Record.
Section 3 – Permitted Uses & Disclosures by Business Associate
3.1 General Use and Disclosure Provision. Except as otherwise limited in this Agreement, Business Associate may Use or Disclose PHI obtained from or on behalf of Covered Entity to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Agreement and/or the Master Agreement, provided that such Use or Disclosure complies with HIPAA and the HITECH Act.
3.2 Specific Use and Disclosure Provision.
a. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
b. Except as otherwise limited in this Agreement, Business Associate may Use or Disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate. Business Associate may Disclose PHI to a third party for such purposes only if: (1) the Disclosure is Required by Law; or (2) Business Associate secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) Use or Disclose the PHI only as Required by Law or for the purposes for which it was Disclosed to the recipient; and (iii) notify the Business Associate of any other Use or Disclosure of PHI.
c. Business Associate may Use or Disclose PHI to perform Data Aggregation as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
d. Business Associate and its subcontractor(s) may also Use and Disclose PHI to create de-identified information consistent with the standard for de-identification of PHI set forth at 45 C.F.R. 164.514. Business Associate and its subcontractor(s) shall be permitted to further Use or Disclose such de-identified information provided that such Use or Disclosure is not prohibited by law. The parties understand that properly de-identified information is not PHI and is not subject to the terms and conditions of this Agreement.
Section 4 – Obligations & Activities of Business Associate under the Security Rule and HITECH Act
4.1 Business Associate will implement and maintain appropriate safeguards to prevent any Use or Disclosure of PHI for purposes other than those permitted by this Agreement or the Master Agreement, including administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of any ePHI, if any, that Business Associate receives from Covered Entity or creates, maintains, or transmits on behalf of Covered Entity. Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
4.2 Business Associate agrees to ensure that any agent, including subcontractors, to whom it provides ePHI agree in writing to implement reasonable and appropriate safeguards to protect the ePHI.
4.3 Business Associate agrees to report to Covered Entity any Security Incident involving ePHI of which Business Associate becomes aware in which there is a successful unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
4.4 Business Associate agrees to notify Covered Entity no later than sixty (60) days following the discovery of a Breach of Unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Such notices shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during such Breach.
4.5 Business Associate agrees to make its policies and procedures, and any documentation required under the Security Rule available to the Secretary, within fifteen (15) days or in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s and/or Covered Entity’s compliance with the Security Rule.
Section 5 – Obligations & Restrictions of Covered Entity
5.1 Except as Required by Law, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under the Services agreements.
5.2 Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate in writing of any changes in, or revocations of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.3 Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Business Associate’s use or disclosure of PHI under the Services agreement unless such restriction is Required by Law.
5.4 Covered Entity shall not request or permit Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity (except for those activities which are permissible for Business Associate to undertake under HIPAA).
Section 6 – Term and Termination
6.1 Term. This Agreement shall become effective on the date the initial Purchase Schedule and shall terminate when the Master Agreement terminates.
6.2 Continuation of Agreement. This Agreement supersedes any prior Business Associate Agreement between Covered Entity and Business Associate. This Agreement shall continue after any new Master Agreement is entered into between Covered Entity and Business Associate except to the extent that such other agreement includes business associate agreement provisions or specifically states that it supersedes this Agreement.
6.3 Termination for Cause. Upon a party’s knowledge of a material breach by the other party, the non-breaching party shall either:
a. Provide an opportunity for the other party to cure the breach or end the violation within thirty (30) days of receipt of written notice of such breach or violation, and terminate this Agreement if the other party does not cure the breach or end the violation within such thirty (30) day period or begin taking steps to cure the breach or violation and proceed promptly to completion of such cure; or
b. Immediately terminate this Agreement if the other party has breached a material term of this Agreement and cure is not possible.
6.4 Effect of Termination.
a. Except as provided in paragraph (b) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI.
b. In the event that Business Associate determines that returning or destroying the PHI is infeasible, for example, because such information must be retained for compliance with applicable laws, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon notification of the conditions that make return or destruction infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Section 7 – Miscellaneous
7.1 Regulatory References. A reference in this Agreement to a section in the Privacy Rule, Security Rule or HITECH Act means the relevant section as in effect or as amended.
7.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as necessary to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, the HITECH Act, and any rules and regulations adopted in the future to provide additional guidance with respect to the above.
7.3 Independent Contractors. None of the provisions of this Agreement shall create or be construed to create any relationship between the parties other than that of independent entities contracting for the sole purpose of effecting the provisions of this Agreement and the Master Agreement. Neither party, nor any of their respective agents or employees, shall be construed to be the agent, employee or representative of the other party.
7.4 No Agency Relationship. Nothing in this Agreement is intended to make either party an agent of the other. Nothing in this Agreement is intended to confer upon Covered Entity the right or authority to direct or control Business Associate’s conduct in the course of Business Associate complying with the Agreement or the Master Agreement.
7.5 Survival. The respective rights and obligations of Business Associate under Section 6.4 of this Agreement shall survive the termination of this Agreement.
7.6 No Third Party Beneficiaries. This Agreement is effective only in regard to the rights and obligations of Covered Entity and Business Associate. Covered Entity and Business Associate do not intend this Agreement to create any independent rights in any third party or to make any third-party beneficiary of this Agreement.
7.7 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Business Associate and Covered Entity to comply with the Privacy Rule, the Security Rule, HIPAA and its rules and regulations as they may become available or effective, and the HITECH Act and its rules and regulations as they may become available or effective.
7.8 Counterparts and Signature. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original and when taken together shall constitute one agreement. Facsimile and electronic signatures shall be deemed to be original signatures for all purposes of this Agreement.
7.9 Choice of Law. The validity, construction and effect of this Agreement will be governed by the laws of the Commonwealth of Pennsylvania without giving effect to that state’s conflict of laws rules. Any dispute will be resolved in accordance with the dispute resolution terms in the Master Agreement.
7.10 Relationship to Provisions in Other Agreements. In the event that a provision of this Agreement is contrary to a provision of the Master Agreement or any other agreement or agreements under which Covered Entity discloses PHI to Business Associate, this Agreement shall control in regards to the Use and Disclosure of PHI.