Software Agreement — Referral Intel

Referral Intel Software Agreement

Please read this Referral Intel Software Agreement (this “Agreement”) carefully. This Agreement constitutes a legally binding agreement between Referral Intel (“Provider”), and you, (“Customer”) and govern your use of the Referral Intel Platform (“Services”). Provider and Customer may be referred to herein collectively as the “Parties” or individually as a “Party.”

BY CLICKING THE ‘ACCEPT’ BOX, OR USING THE SERVICES, CUSTOMER ACCEPTS AND AGREES TO BE BOUND BY THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO BE BOUND BY THIS AGREEMENT, PLEASE DO NOT ACCESS OR USE THE SERVICES.

The Parties agree as follows:

1. Definitions.

(a) “Authorized User” means Customer’s employees, consultants, contractors, and agents (i) who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Services has been purchased hereunder.

(b) “Customer Data” means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services.

(c) “Documentation” means Provider’s user manuals, handbooks, and guides relating to the Services provided by Provider to Customer either electronically or in hard copy form.

(d) “Provider IP” means the Services, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Provider IP does not include Customer Data.

2. Access and Use.

(a) Provision of Access. Subject to and conditioned on Customer’s payment of Fees and compliance with all other terms and conditions of this Agreement, Provider hereby grants Customer a non-exclusive, non-transferable (except in compliance with Section 11‎(g)) right to access and use the Services during the Initial Term or Renewal Terms, solely for use by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use. Provider shall provide to Customer the necessary passwords and network links or connections to allow Customer to access the Services.

(b) Documentation License. Subject to the terms and conditions contained in this Agreement, Provider hereby grants to Customer a non-exclusive, non-sublicensable, non-transferable (except in compliance with Section 11‎(g)) license to use the Documentation during the Initial Term or Renewal Terms (as defined in Section 10) solely for Customer’s internal business purposes in connection with its use of the Services.

(c) Use Restrictions. Customer shall not use the Services for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (iv) remove any proprietary notices from the Services or Documentation; or (v) use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law.

(d) Reservation of Rights. Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.

(e) Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) Provider’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; or (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any third-party services or products required to enable Customer to access the Services (any such suspension described herein, a “Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Services following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.

3. Customer Responsibilities. Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to comply with such provisions.

4. Fees and Payment.

(a) Fees. Customer shall pay Provider the fees (“Fees”) as set forth in our ‘Sing-Up’ page without offset or deduction.

(b) Taxes. Customer shall be responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental entity on any amounts payable by Customer hereunder; provided, that, in no event shall Customer pay or be responsible for any taxes imposed on, or regarding, Provider’s income, revenues, gross receipts, personnel, or real or personal property or other assets.

(c) Payments: Customer will be invoiced for the amounts and prices set forth in our ‘Sign-Up’ page. Payments to Provider will be made in United States dollars to the address provided by Provider to Customer. All payments are due upon receipt of the invoice. If Customer fails to pay the recurring subscription fee required to maintain their selected type of subscription, Customer will not be permitted to further use the Services. All payment obligations are non-cancellable and all amounts paid are non-refundable, except for amounts paid in error that are not actually as detailed in our ‘Sign-Up’ page.

(d) Late Payments: Past due payments and charges will be subject to a late payment charge calculated at an annual rate of five percent (5%) over the prime rate (as provided by the U.S. Federal Reserve) during delinquency. If the amount of such charge exceeds the maximum permitted by law, such charge will be reduced to such maximum. If Provider incurs any fees or expenses for collection of monies owed, Customer will be responsible for reimbursing Provider for any such expenses. In any case such payment is not paid in full when due, in addition to any other remedy otherwise available to Provider. If payment is not received within 30 days after an invoice is sent to Customer by Provider, Provider reserves the right to terminate access to the Services, at its sole discretion, until payment is satisfied. In the event the account becomes delinquent and satisfactory arrangements have not been made for payment, Customer agrees to pay all collections costs and reasonable attorney fees.

5. Confidential Information. From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information in written or electronic form or media, that is marked, designated, or otherwise identified as “confidential” (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

6. Use of Information Collected by Referral Intel Platform. Before submitting any third party’s personal information to the Services, Customer will obtain all permissions, consents, and authorizations necessary to provide such information to Provider and for Provider to use such information to perform the services in accordance with Provider’s Notice of Privacy Practices, as required by law. If applicable law allows Customer to provide the information without doing the foregoing, Customer represents and warrants that Customer has abided by that law and that it allows Provider to receive, use, and disclose the information to perform the Services in accordance with Provider’s Notice of Privacy Practices without further action on Provider’s part. Customer represents, warrants and agrees that they will not sell, distribute, publish, transfer or otherwise make available to any third party personal information collected via the Services, unless Customer has obtained prior consent from the third party concerned or is authorized or required to do so by applicable law.

7. Intellectual Property Ownership; Feedback.

(a) Provider IP. Customer acknowledges that, as between Customer and Provider, Provider owns all right, title, and interest, including all intellectual property rights, in and to the Provider IP.

(b) Customer Data. Provider acknowledges that, as between Provider and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Provider a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Services to Customer. Customer is responsible for obtaining all necessary rights to the Customer Data. Nothing in this Agreement restricts Provider from collecting, using, and analyzing general information and data from its customers (including Customer) for purposes of improving and enhancing the quality and nature of services offered by Provider, or to market or publish general information and statistics, provided that Provider does not specifically identify Customer or disclose any personal information in the course of collecting, using, analyzing, marketing or publishing such information or data.

(c) Feedback. If Customer or any of its employees or contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Provider on Customer’s behalf, and on behalf of its employees, contractors, and/or agents, all right, title, and interest in, and Provider is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Provider is not required to use any Feedback.

8. Warranty Disclaimer. THE PROVIDER IP IS PROVIDED “AS IS” AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PROVIDER IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.

9. Indemnification.

(a) Provider Indemnification.

(i) Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (“Losses”) incurred by Customer resulting from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) that the Services, or any use of the Services in accordance with this Agreement, infringes or misappropriates such third party’s US patents, copyrights, or trade secrets, provided that Customer promptly notifies Provider in writing of the claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such claim.

(ii) If such a claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer.

(iii) This Section 8‎(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; (B) modifications to the Services not made by Provider; or (C) Customer Data.

(b) Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any Losses resulting from any Third-Party Claim that the Customer Data, or any use of the Customer Data in accordance with this Agreement, infringes or misappropriates such third party’s US intellectual property rights and any Third-Party Claims based on Customer’s or any Authorized User’s (i) negligence or willful misconduct; (ii) use of the Services in a manner not authorized by this Agreement; (iii) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; or (iv) modifications to the Services not made by Provider, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

(c) Sole Remedy. THIS SECTION ‎9 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY. IN NO EVENT WILL PROVIDER’S LIABILITY UNDER THIS SECTION 8 EXCEED $5,000.

10. Limitations of Liability. IN NO EVENT WILL PROVIDER BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY, OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER PROVIDER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED TWO TIMES THE TOTAL AMOUNTS PAID TO PROVIDER UNDER THIS AGREEMENT IN THE TWO-YEAR PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM OR $5,000, WHICHEVER IS LESS.

11. Term and Termination.

(a) Term. The term of this Agreement begins on the Effective Date and, unless terminated earlier pursuant to this Agreement’s express provisions, will continue in effect for one month (for monthly subscribers), or one year (for yearly subscribers) ( “Initial Term”). Thereafter, this Agreement will renew for successive one-month terms (for monthly subscribers) or one-year (for yearly subscribers) (“Renewal Term”) unless either party provides thirty (30) days written notice of termination prior to the end of the Initial Term or the Renewal Term, or until terminated in accordance with this Section 10.

(b) Termination. Provider may terminate this Agreement upon written notice to Customer if Customer materially breaches this Agreement (which includes Customer’s failure to timely pay any Fees or if Customer’s activities under this Agreement violate applicable laws) and fails to remedy any breach of this Agreement within 30 days after such breach. Termination under this section will be in addition to any other rights or remedies available to Provider.

(c) Effect of Termination. Upon termination or expiration of this Agreement, (i) all of Customer’s rights will immediately cease. Provider will delete or return Customer Data and Provider will have no obligation to continue providing the Services to Customer following the termination of this Agreement. Termination under this section does not excuse any of Customer’s obligations to pay any Fees specified in Section 4.

(d) Survival. This Section ‎11(d) and Sections ‎1, ‎4, ‎5, ‎6, ‎8, ‎9, ‎10, and ‎12 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

12. Miscellaneous.

(a) Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.

(b) Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth on the first page of this Agreement (or to such other address that may be designated by the Party giving Notice from time to time in accordance with this Section). All Notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees pre-paid), facsimile or email (with confirmation of transmission), or certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in this Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section.

(c) Force Majeure. In no event shall Provider be liable to Customer, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement, if and to the extent such failure or delay is caused by any circumstances beyond Provider’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.

(d) Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

(e) Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

(f) Governing Law; Submission to Jurisdiction. This Agreement is governed by and construed in accordance with the internal laws of the State of Washington without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Washington. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Washington in each case located in the city of Seattle and King County, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

(g) Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Provider. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.

(h) Export Regulation. Customer shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), that prohibit or restrict the export or re-export of the Services or any Customer Data outside the US.

(i) Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Section ‎5 or, in the case of Customer, Section 2‎(c), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.

(j) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

HIPAA Business Associate Agreement

1. PREAMBLE AND DEFINITIONS.

1.1 Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), you (“Covered Entity”) and Referral Intel, or any of its corporate affiliates (“Business Associate”), enter into this Business Associate Agreement (“BAA”) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”), and is effective as of the effective date of the Software Agreement (the “Underlying Agreement”) entered into by Covered Entity and Business Associate (the “Effective Date”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

1.2 This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Underlying Agreement.

1.3 Consistent with the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.

1.4 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.

1.5 A reference in this BAA to the “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and Subparts A and E of Part 164, as amended by the HITECH Act, ARRA, and the HIPAA Rules, and as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required.

2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.

2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

2.2 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by the BAA.

2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

2.4 Business Associate agrees to the following breach notification requirements:

(a) Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within 30 calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.

(b) In the event of Business Associate’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section ‎2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.

2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

2.6 Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

(a) Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.

(b) Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).

(c) Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

2.8 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Section 1.5).

2.9 To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

2.10 Business Associate agrees to account for the following disclosures:

(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.10, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section ‎5) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the six years prior to the date on which the accounting is requested from Covered Entity.

2.11 Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.

2.12 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

3.1 General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in Section ‎5), and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.

3.2 Business Associate may use or disclose PHI as Required By Law.

3.3 Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures.

3.4 Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.

4. OBLIGATIONS OF COVERED ENTITY.

4.1 Covered Entity shall:

(a) Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.

(b) Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.

(c) Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and Security Rule if done by Covered Entity, except as provided under Section ‎3 of this BAA.

5. COMPLIANCE WITH SECURITY RULE.

5.1 Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

5.2 In accordance with the Security Rule, Business Associate agrees to:

(a) Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA: (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;

(b) Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and

6. INDEMNIFICATION.

The parties agree and acknowledge that except as set forth herein, the indemnification obligations contained under the Underlying Agreement shall govern each party’s performance under this BAA.

7. TERM AND TERMINATION.

7.1 This BAA shall be in effect as of the Effective Date, and shall terminate on the earlier of the date that:

(a) Either party terminates as authorized in the Underlying Agreement.

(b) All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with Section ‎7.3.

7.2 Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within 30 days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.

7.3 Upon termination of this BAA for any reason, the parties agree that:

Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

(a) Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.

(b) Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that the Business Associate still maintains in any form.

(c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.

(d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at paragraphs (b) and (c) above which applied prior to termination.

(e) Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

8. MISCELLANEOUS.

8.1 The terms of this BAA are hereby incorporated into the Underlying Agreement. The terms of the Underlying Agreement that are not modified by this BAA will remain in full force and effect in accordance with the terms thereof.

8.2 The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.

8.3 The respective rights and obligations of Business Associate under Section ‎6 and Section ‎7 of this BAA shall survive the termination of this BAA.

8.4 This BAA shall be interpreted in the following manner:

(a) Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

(b) Any inconsistency between the BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.

(c) Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.

8.5 This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

8.6 This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.

8.7 This BAA may be executed in two or more counterparts, each of which shall be deemed an original.

8.8 Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Underlying Agreement.