Net Health Systems, Inc. (“Net Health”) will provide the software (the “Software”) in accordance with the Software Subscription Agreement between Net Health and CUSTOMER, and the Terms and Conditions and Business Associate Agreement found below (collectively, the “Agreement”).
TERMS AND CONDITIONS
(a) Use and Access of Software. Subject to the terms, conditions and limitations set forth in this Agreement, CUSTOMER shall have the non-exclusive, non-transferable right to use and access the Software for the term set forth therein, and to receive other related services, if any, supplied by Net Health hereunder for use by the designated sites and healthcare providers/users set forth in the Agreement.
(b) Limitations. Except as otherwise expressly set forth herein, CUSTOMER receives no right to copy, distribute, disseminate, modify, reverse engineer or license/sublicense the Software or any of component thereof. Subject to the foregoing restrictions and the confidentiality obligations contained in these Terms, CUSTOMER’S affiliates and those agents and subcontractors of CUSTOMER that have agreed in writing to abide by the terms and conditions of this Agreement may access and/or use the Software solely for CUSTOMER’S benefit hereunder. CUSTOMER at all times shall be responsible and liable to Net Health for any use of the Software by such affiliates, agents or subcontractors.
(c) Title & Ownership of Rights. Title to the Software and all additional programs developed by Net Health for CUSTOMER hereunder, and all copies thereof are proprietary to Net Health and title thereto remains with Net Health. In addition, CUSTOMER acknowledges that Net Health is the owner of all right, title and interest in the Software and in any derivative works of and improvements upon Software, regardless of any assistance or involvement by agents or employees of CUSTOMER in any such improvements or derivatives.
2. Independent Contractor. In connection with Net Health’s provision of the Software, Net Health and each person provided by Net Health to CUSTOMER hereunder shall act solely as an independent contractor and nothing herein contained shall at any time be so construed as to create a relationship of employer and employee, partnership, principal and agent, or joint venture as between CUSTOMER and Net Health or between CUSTOMER and any person provided by Net Health to CUSTOMER hereunder.
3. Term and Termination.
(a) The term of the Agreement (“Term”) shall commence on the Effective Date of the Agreement and continue thereafter for the Initial Term, subject to earlier termination in accordance with these Terms and Conditions.Upon the expiration of the Initial Term, unless stated otherwise in the Agreement, the Agreement will automatically renew for successive terms of equal length with the Initial Term (each a “Renewal Term”) at the Fees set forth in Section 4(b) of these Terms and Conditions, unless either party elects to terminate the Agreement by giving the other party written notice of such election at least sixty (60) days before the expiration of the then-current Term.
(b) Termination. If CUSTOMER commits a material breach of the Agreement, including these Terms and Conditions and/or the BAA, and persists in such failure for a period of thirty (30) days after receiving written notice thereof from Net Health, Net Health may terminate the Agreement upon written notice to CUSTOMER and CUSTOMER shall pay all remaining Fees from the date of termination to the end of the current Term. If Net Health commits a material breach of the Agreement, and persists in such failure for a period of thirty (30) days after receiving written notice thereof from CUSTOMER, CUSTOMER may terminate this Agreement upon written notice.
(a) General. In consideration of the Software provided by Net Health pursuant to the Agreement, CUSTOMER shall pay to Net Health the amounts provided for in the applicable Agreement (the “Fee(s)”) and in accordance with the payment terms set forth in the Agreement.
(b) Renewal & Third-Party Fees. For any Renewal Term, the Fees shall be Net Health’s then-current Fees. In addition, Net Health may increase Fees at any time in an amount equal to any charges imposed by third parties for any third party components used in connection with the Software.
(c) Taxes Not Included. To the extent applicable, the Fees listed in the Agreement do not include taxes, duties, or other fees, and CUSTOMER shall reimburse Net Health for all such taxes appropriately assessed and paid related to any Software provided pursuant to this Agreement, except for those taxes based on Net Health’s net income.
(d) Late Payment. If any of the Fees are not paid to Net Health by CUSTOMER when due, then the Software may not become available to CUSTOMER until such Fees are paid in full. Payments not made when due will be subject to interest charges at a rate equal to the lesser of one and one-half percent (1.50%) per month, or the maximum rate allowable by law and will accrue monthly on all outstanding balances until paid. CUSTOMER shall be responsible for paying all costs of collection, including reasonable attorneys’ fees, and where lawful, collection agency fees. If payment is not received within sixty (60) days of such payment due date, any and all warranties provided pursuant to the terms of this Agreement shall be voided, and Software provided to CUSTOMER pursuant to the terms of the Agreement will be suspended until payment is received. Software shall be reinstated when CUSTOMER’S payment is received in full. Except for termination by CUSTOMER in accordance with this Agreement,all payment obligations under this Agreement are non-cancelable and non-refundable.
5. CUSTOMER Responsibilities & Acknowledgements.
(a) CUSTOMER shall be responsible for the following, unless otherwise set forth in the Agreement: adherence to specified system requirements; running and maintaining all computer network and internet connections necessary for CUSTOMER to use the Software; and all data conversion (if applicable).
(b) CUSTOMER will fully cooperate with Net Health in its performance of any services and will at all times provide Net Health with at least one reliable point of contact for purposes of overseeing such services.
(c) CUSTOMER will participate fully in the implementation of the Software, including, as applicable, attending training sessions, performing applicable file builds, and complying with other reasonable Net Health instructions regarding the implementation. In no event shall CUSTOMER delay the start of implementation of the applicable Software beyond the applicable Billing Start Date (as set forth in the applicable Agreement). In the event CUSTOMER delays the completion of the implementation of the Software beyond the Billing Start Date, for each month thereafter until the Software is fully implemented, CUSTOMER shall pay to Net Health the greater of (i) one-half of the monthly Fees due for the Software, or $350.00/month.
(d) Net Health will not be responsible for any issues resulting from CUSTOMER’S failure to comply with the parties’ mutually agreed upon plan for implementing the Software.
(e) CUSTOMER acknowledges that the Software may use, incorporate or access Third Party Products, or that CUSTOMER may use, incorporate or access Third Party Products in conjunction with CUSTOMER’s use of the Software, or any other product or service provided to CUSTOMER by Net Health. To the extent that CUSTOMER uses, incorporates or accesses any Third Party Products that are provided by Net Health to CUSTOMER, CUSTOMER acknowledges that continued usage of such Third Party Product(s) is contingent on Net Health’s continued relationship with such Third Party Product vendor and that such use may be subject to additional terms and conditions of the applicable Third Party Product vendor. To the extent CUSTOMER uses, incorporates or accesses any Third Party Products that are not provided by Net Health to CUSTOMER, CUSTOMER represents it has obtained and covenants it will obtain the necessary rights or licenses from the applicable third party vendors to use such Third Party Products and agrees that Net Health shall not be liable for CUSTOMER’s failure to obtain such rights or licenses. Net Health makes no representation or warranty with respect to any such Third Party Products. Net Health shall not be liable for any damages, costs, or expenses, direct or indirect, arising out of the performance or failure to perform of Third Party Products. “Third Party Products” includes, but is not limited to, any product, technology, tool, database, software, works, coding scheme or other intellectual property developed or owned by a third party. To the extent that CUSTOMER utilizes billing software provided by Net Health, the terms and conditions located at www.nethealth.com/CPT-End-User-Agreement also apply with regard to the CPT codes located within such billing software.
(f) CUSTOMER agrees that it shall use the Software solely in a manner that complies with this Agreement and all applicable laws.
(g) CUSTOMER acknowledges that the Software may include access to software to be used by CUSTOMER’s personnel as an aid to the organization of patient care. Such software is in no way intended, and the information contained therein is not to be used by any party in any way to replace the professional skill and judgment of physicians and other health care providers. The Software is not to be used to guide or determine care provided by physicians and other health care providers, nor as a substitute for an accurate patient medical record and/or sound medical judgment by the treating physician or other health care provider. CUSTOMER’s personnel and all healthcare providers are solely responsible for the care of their patients and for determining whether to rely on the data and information contained within any Software provided by Net Health. Any reliance for any purpose directly or indirectly related to patient care cannot in any way be controlled by Net Health and CUSTOMER is responsible for verifying the accuracy and completeness of any medical or other similar information contained in, entered into, or used in connection with the Software.
(a) CUSTOMER acknowledges that the Software contains proprietary information of Net Health, and such information is deemed confidential/proprietary information, the disclosure of which is restricted by this section (such information being “Confidential Information”). CUSTOMER agrees to maintain the confidentiality of the Confidential Information in a manner using at least as great a degree of care as the manner used to maintain the confidentiality of CUSTOMER’S own confidential information. Unless otherwise permitted by this Agreement, CUSTOMER shall not disclose any of the Confidential Information to any third party without the prior written consent of Net Health. CUSTOMER further agrees that the confidentiality obligations contained herein shall apply to CUSTOMER’s agents and employees that utilize the Software, and that CUSTOMER is wholly responsible for its user’s compliance with this provision.
(b) CUSTOMER, its authorized affiliates, agents, and subcontractors shall not sell, transfer, publish, disclose, display, reverse engineer, or otherwise make available to others the Software or any other material relating to the Software. CUSTOMER shall protect the Software, including any other material relating to the Software, from unauthorized access and use, including using passwords made known only to CUSTOMER’S employees who use the Software as a regular part of their employment and giving its employees written notification of the requirements of this section. CUSTOMER shall advise Net Health immediately if CUSTOMER learns or has reason to believe that any of CUSTOMER’S employees, agents, independent contractors, or affiliates has violated or intends to violate the terms of this section, and CUSTOMER will cooperate with Net Health in seeking injunctive or other equitable relief against any such person including giving Net Health access to all relevant documents and the opportunity to interview CUSTOMER’S employees.
7. Use of De-Identified Data. In further consideration of the CUSTOMER’s use and access of the Software, Net Health may use in its business, on a perpetual, irrevocable basis, without obligation to CUSTOMER, de-identified patient data and information that is collected and uploaded to any software provided by Net Health including, but not limited to, patients’ gender, age, medical histories and treatment (collectively, the “Data”). Under no circumstances shall Net Health use or disclose such Data except in the de-identified form as described above and in compliance with HIPAA.
8. Publicity. Following execution of this Agreement and during the Term hereof, Net Health shall be permitted to utilize CUSTOMER’S name and logo in marketing materials, customer lists, and in press releases noting that CUSTOMER is an Net Health customer.
9. Warranty Disclaimer; Limitation Of Liability.
(a) THE WARRANTIES PROVIDED IN THIS AGREEMENT ARE THE SOLE AND EXCLUSIVE WARRANTIES OFFERED BY NET HEALTH. NET HEALTH MAKES AND CUSTOMER RECEIVES NO OTHER WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS AGREEMENT OR ANY OTHER COMMUNICATION, REGARDING THE SOFTWARE AND NET HEALTH SPECIFICALLY DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
(b) In no event shall Net Health be liable to CUSTOMER for any loss of profits; any incidental, special, exemplary, or consequential damages; or any claims or demands brought against CUSTOMER, even if Net Health has been advised of the possibility of such damages. Net Health’s total liability with respect to all causes of action together will not exceed the total amount of Fees paid by CUSTOMER to Net Health under the applicable Agreement in the twelve (12) months before such claim arose.
10. Governing Law and Jurisdiction. The Agreement and these Terms and Conditions shall be governed and construed in all respects in accordance with the laws of the Commonwealth of Pennsylvania without regard to any conflict of laws principles. Any disputes arising out of this Agreement will be subject to the exclusive jurisdiction of the state and federal courts located in Allegheny County, Pennsylvania, each party hereby consents to the jurisdiction of such courts, and neither party shall bring any action hereunder in any other court.
11. Force Majeure. Net Health shall not be liable for breaches of the Agreement caused by circumstances beyond Net Health’s reasonable control.
12. Notices. All notices required by this Agreement shall be in writing and shall be delivered by hand, United States Postal Service certified mail, or overnight courier to the other party at such party’s address set forth in the opening paragraph of this Agreement, or to such other address as each party may designate in writing.
13. Integration. The Agreement, including these terms and conditions, constitutes the entire agreement of the parties with respect to the subject matter contained herein, and supersedes all prior representations, proposals, discussions, and communications, whether oral or written.
14. Clinisign. The following applies only if CliniSign is included in the Agreement:
(a) By using CliniSign, CUSTOMER is giving Net Health permission to send documents to physicians and other healthcare providers (collectively, “Healthcare Providers”) for electronic signature. The permission and access to records is initiated through the CliniSign enrollment process where a link is established with the individual Healthcare Provider. To revoke permission and access to records, CUSTOMER must remove the link for the Healthcare Provider. CUSTOMER agrees that the Healthcare Provider is entitled to transmit, receive, or exchange Protected Health Information as directed by CUSTOMER and in compliance with HIPAA.
(b) Prior to establishing a link for a specific Healthcare Provider, CUSTOMER agrees to inform the Healthcare Provider that they may receive automated communications by email, text, or both from CliniSign. By providing a Healthcare Provider’s cell phone number or email address, CUSTOMER agrees that the Healthcare Provider has given permission to CUSTOMER for CliniSign to send emails and automated text messages to the Healthcare Provider and has informed the Healthcare Provider.
15. Survival.Sections 1(b), 4, 6, 7, 9, 10, 11, 12, and this Section 15 shall survive any termination or expiration of the Agreement.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”) is entered into by and between Net Health Systems, Inc. (“Business Associate”) and CUSTOMER (“Covered Entity”) effective as the effective date of the Agreement between the parties (“Effective Date”). This BAA sets out the responsibilities and obligations of Business Associate as a business associate of Covered Entity under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
- Business Associate and Covered Entity have entered into a certain Agreement (“Agreement”) under which Business Associate has agreed to provide Covered Entity with certain software and/or related services;
- Business Associate and Covered Entity have mutual obligations under the Agreement that may require Business Associate and Covered Entity to use or disclose Covered Entity’s PHI of Individuals as that term is defined under HIPAA; and
- This BAA is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), so as to permit the Business Associate and Covered Entity to access, use and exchange PHI in a manner which complies with the provisions of HIPAA and the HITECH Act.
NOW, THEREFORE, in consideration of the foregoing, the agreements contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by the parties, Business Associate and Covered Entity agree as follows:
Section 1— Definitions
1.1 Terms Defined in Regulation. Capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms are defined in the Privacy Rule, the Security Rule, and the Breach Notification Rule promulgated pursuant to the HITECH Act, 45 C.F.R. 164.402.
1.2 Electronic Health Record.”Electronic Health Record” shall have the same meaning as the term “electronic health record” in the HITECH Act, section 13400(5).
1.3 Electronic Protected Health Information.”Electronic Protected Health Information” (sometimes “ePHI”) shall have the same meaning as the term ‘electronic protected health information’ in 45 C.F.R. 160.103 limited to the information received from Covered Entity, or created, maintained or transmitted by Business Associate on behalf of Covered Entity.
1.4 Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R.160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
1.5 Protected Health Information. “Protected Health Information” (“PHI”) shall have the same meaning as the term “protected health information” in 45 C.F.R. 160.103, limited to the information received from Covered Entity, or created, maintained or transmitted by Business Associate on behalf of Covered Entity.
Section 2 – Obligations & Activities of Business Associate under the Privacy Rule
2.1 Business Associate agrees to comply with all applicable Use and Disclosure provisions of the Privacy Rule as directed under section 13404 of the HITECH Act. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
2.2 Business Associate agrees that any Use or Disclosure of PHI shall comply with the Privacy Rule, as applicable to Business Associate.
2.3 Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this BAA, the Agreement, or as Required by Law. Business Associate shall only Use or Disclose only the Minimum Necessary amount of PHI necessary to accomplish the purpose of the Use or Disclosure, in accordance with any current or future guidance issued by the Department of Health and Human Services regarding the “minimum necessary” use or disclosure of PHI.Except as otherwise permitted under HIPAA, Covered Entity shall provide to Business Associate only the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
2.4 Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
2.5 Business Associate agrees to report to Covered Entity’s Privacy Official any Use or Disclosure of PHI for purposes other than those permitted by this BAA and/or the Agreement of which it becomes aware.
2.6 Business Associate agrees to ensure that any agent or subcontractor to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to substantially the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
2.7 To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will make such PHI available to Covered Entity PHI in order for Covered Entity to meet the requirements under 45 C.F.R. 164.524. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of such request.Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to an Individual pursuant to such a request. Business Associate will notify Covered Entity of any request (including subpoenas) that Business Associate receives for access to PHI that is within Business Associate’s custody, and Covered Entity will be responsible for providing an appropriate response.
2.8 To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will provide such PHI to Covered Entity for amendment. If an Individual makes a request for amendment directly to Business Associate, Business Associate will forward such request in writing to Covered Entity. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.
2.9 Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary, in a time and manner designated by the Secretary, as applicable, for purposes of determining Covered Entity’s compliance with HIPAA or the HITECH Act.No attorney-client, accountant-client or other legal privilege will be deemed waived by Business Associate or Covered Entity as a result of compliance with this Section.
2.10 Business Associate agrees to document such disclosures of PHI in its possession and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. At a minimum the following information regarding the disclosure will be documented: 1) the date of the disclosure; 2) the name of the entity or person who received the PHI, and the address of such entity or person; 3) a brief description of the PHI disclosed; 4) a brief statement regarding the purpose and an explanation of the basis of such disclosure; and 5) the names of the Individuals whose PHI was disclosed.
2.11 Business Associate agrees to provide to Covered Entity, upon written request, information collected in accordance with Section 2.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
2.12 To the extent that Covered Entity uses or maintains an Electronic Health Record that discloses any PHI to a third party, and/or to the extent Business Associate’s licensed software is deemed to be an Electronic Health Record that discloses any PHI to a third party, Business Associate agrees to cooperate with Covered Entity to ensure that, as of any applicable compliance date, such Electronic Health Record is capable of providing the information required by the then current provisions of the HITECH Act, or any regulations promulgated thereunder, for an accounting of disclosures of PHI through an Electronic Health Record.
Section 3 — Permitted Uses & Disclosures by Business Associate
3.1 General Use and Disclosure Provision. Except as otherwise limited in this BAA, Business Associate may Use or Disclose PHI obtained from or on behalf of Covered Entity to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this BAA and/or the Agreement, provided that such Use or Disclosure complies with HIPAA and the HITECH Act.
3.2 Specific Use and Disclosure Provision.
- Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
- Except as otherwise limited in this BAA, Business Associate may Use or Disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate. Business Associate may Disclose PHI to a third party for such purposes only if: (1) the Disclosure is Required by Law; or (2) Business Associate secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) Use or Disclose the PHI only as Required by Law or for the purposes for which it was Disclosed to the recipient; and (iii) notify the Business Associate of any other Use or Disclosure of PHI.
- Business Associate may Use or Disclose PHI to perform Data Aggregation as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- Business Associate and its subcontractor(s) may also Use and Disclose PHI to create de-identified information consistent with the standard for de-identification of PHI set forth at 45 C.F.R. 164.514. Business Associate and its subcontractor(s) shall be permitted to further Use or Disclose such de-identified information provided that such Use or Disclosure is not prohibited by law. The parties understand that properly de-identified information is not PHI and is not subject to the terms and conditions of this BAA.
Section 4 – Obligations & Activities of Business Associate under the Security Rule and HITECH Act
4.1 Business Associate will implement and maintain appropriate safeguards to prevent any Use or Disclosure of PHI for purposes other than those permitted by this BAA or the Agreement, including administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of any ePHI, if any, that Business Associate receives from Covered Entity or creates, maintains, or transmits on behalf of Covered Entity. Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
4.2 Business Associate agrees to ensure that any agent, including subcontractors, to whom it provides ePHI agree in writing to implement reasonable and appropriate safeguards to protect the ePHI.
4.3 Business Associate agrees to report to Covered Entity any Security Incident involving ePHI of which Business Associate becomes aware in which there is a successful unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
4.4 Business Associate agrees to notify Covered Entity no later than sixty (60) days following the discovery of a Breach of Unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Such notices shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during such Breach.
4.5 Business Associate agrees to make its policies and procedures, and any documentation required under the Security Rule available to the Secretary, within fifteen (15) days or in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s and/or Covered Entity’s compliance with the Security Rule.
Section 5 – Obligations & Restrictions of Covered Entity
5.1 Except as Required by Law, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under the applicable agreement.
5.2 Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate in writing of any changes in, or revocations of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.3 Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Business Associate’s use or disclosure of PHI under the applicable agreement unless such restriction is Required by Law.
5.4 Covered Entity shall not request or permit Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity (except for those activities which are permissible for Business Associate to undertake under HIPAA).
Section 6 —Term and Termination
6.1 Term. This BAA shall become effective on the date the Agreement becomes effective, and shall terminate when the Agreement terminates.
6.2 Continuation of Agreement. This BAA supersedes any prior Business Associate Agreement between Covered Entity and Business Associate. This BAA shall continue after any new Agreement is entered into between Covered Entity and Business Associate except to the extent that such other agreement includes business associate agreement provisions or specifically states that it supersedes this BAA.
6.3 Termination for Cause. Upon a party’s knowledge of a material breach by the other party, the non-breaching party shall either:
- Provide an opportunity for the other party to cure the breach or end the violation within thirty (30) days of receipt of written notice of such breach or violation, and terminate this BAA if the other party does not cure the breach or end the violation within such thirty (30) day period or begin taking steps to cure the breach or violation and proceed promptly to completion of such cure; or
- Immediately terminate this BAA if the other party has breached a material term of this BAA and cure is not possible.
6.4 Effect of Termination.
- Except as provided in paragraph (b) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI.
- In the event that Business Associate determines that returning or destroying the PHI is infeasible, for example, because such information must be retained for compliance with applicable laws, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon notification of the conditions that make return or destruction infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Section 7 — Miscellaneous
7.1 Regulatory References. A reference in this BAA to a section in the Privacy Rule, Security Rule or HITECH Act means the relevant section as in effect or as amended.
7.2 Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as necessary to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, the HITECH Act, and any rules and regulations adopted in the future to provide additional guidance with respect to the above.
7.3 Independent Contractors. None of the provisions of this BAA shall create or be construed to create any relationship between the parties other than that of independent entities contracting for the sole purpose of effecting the provisions of this BAA and the Agreement. Neither party, nor any of their respective agents or employees, shall be construed to be the agent, employee or representative of the other party.
7.4 No Agency Relationship.Nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon Covered Entity the right or authority to direct or control Business Associate’s conduct in the course of Business Associate complying with the Agreement or the Agreement.
7.5 Survival. The respective rights and obligations of Business Associate under Section 6.4 of this BAA shall survive the termination of this BAA.
7.6 No Third Party Beneficiaries. This BAA is effective only in regard to the rights and obligations of Covered Entity and Business Associate. Covered Entity and Business Associate do not intend this BAA to create any independent rights in any third party or to make any third-party beneficiary of this BAA.
7.7 Interpretation. Any ambiguity in this BAA shall be resolved to permit Business Associate and Covered Entity to comply with the Privacy Rule, the Security Rule, HIPAA and its rules and regulations as they may become available or effective, and the HITECH Act and its rules and regulations as they may become available or effective.
7.8 Choice of Law. The validity, construction and effect of this BAA will be governed by the laws of the Commonwealth of Pennsylvania without giving effect to that state’s conflict of laws rules. Any dispute will be resolved in accordance with the dispute resolution terms in the Agreement.
7.9 Relationship to Provisions in Other Agreements. In the event that a provision of this BAA is contrary to a provision of the Agreement or any other agreement or agreements under which Covered Entity discloses PHI to Business Associate, this BAA shall control in regards to the Use and Disclosure of PHI.
REMAINDER OF PAGE INTENTIONALLY BLANK.