This RxToolKit Software Agreement (this “Agreement”) together with the Order Form, any exhibits, any Addenum(s) and the BAA below is made as of the Effective Date set forth in the Order Form by and between RxToolKit, LLC, a Texas limited liability company (“RxToolKit”), and the client and its affiliates (“Client”).
WHEREAS, RxToolKit, based in Texas, is in the highly competitive business of developing, building, writing, and distributing proprietary web‐based software applications that are designed to improve medication and vaccine safety and increase clinical competency (the “Business”). Its web-based applications are provided online via the world wide web;
WHEREAS, RxToolKit distributes certain proprietary web-based applications (the “Software”) to healthcare organizations including, but not limited to, health systems, physician practices, infusion centers and infusion and specialty pharmacies (collectively, “Health Orgs”); and
WHEREAS, RxToolKit desires to grant to Client a Usage License (as defined below) to use the Software, and Client desires to obtain such license to use the Software, as provided in this Agreement, subject to the terms and conditions of this Agreement.
NOW, THEREFORE, in consideration of the mutual promises between the parties and for other valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby agree as follows:
a. The initial term of this Agreement shall commence on the Effective Date and continue for the period set forth on the Order Form (the “Initial Term”). Following the expiration of the Initial Term, this Agreement shall automatically renew for successive one (1) year periods (the “Renewal Terms” and together with the Initial Term, the “Term”) unless otherwise terminated in accordance with this Agreement.
b. After the Initial Term, either party may cancel the Agreement at any time, with or without cause, by providing ninety (90) days advance written notice of the termination to the other party.
a. Software. During the Term and so long as Client is not in default, RxToolKit will make available to Client the scope of the Software as indicated on the Order Form and any manuals, updates, enhancements, and revisions that RxToolKit may develop from time-to-time during the Term related to the Software.
b. Installation. Within forty-five (45) days from the Effective Date, RxToolKit will assist Client in gaining access to the Software (and with any Software installation, if applicable). RxToolKit will not be responsible for any delays incurred while assisting Client with gaining access to (or installation of) the Software due to Client’s Hardware incompatibility issues, internet connectivity issues, or other related issues. For the purposes of this Agreement, “Hardware” means any equipment utilized to access and run the Software and includes, but is not limited to, Client’s computers, network systems, modem, DSL lines, VPN access, and similar equipment. RxToolKit does not warrant or guaranty the installation, operation, or compatibility of the Software with Client’s Hardware, or other software utilized by Client.
c. Support. RxToolKit will provide commercially reasonable efforts to provide remote first level technical support for Client. RxToolKit’s team will be available by phone, email, or electronic chat during its normal business hours of Monday thru Friday from 8AM CT to 5PM CT, excluding United States federal recognized holidays that fall on weekdays (“Normal Service Hours”). RxToolKit will also use commercially reasonable efforts to provide remote technical support to Client during periods that do not fall within Normal Service Hours (e.g., after-hours, during weekends, or on United States Federal recognized holidays) in that RxToolKit will use commercially reasonable efforts to respond to Client by telephone, electronic chat or email within five (5) hours from Client’s initial request.
d. Training. RxToolKit will provide training to Client as set forth on the Order Form.
a. Subscription License Fees. Client will pay RxToolKit the monthly licensing fee and such other fees as set forth on the Order Form and/or any Addendum(s). Payment of such fees is due upon receipt of an invoice from RxToolKit. Client acknowledges any custom updates, enhancements, or revisions to the Software requested by Client will not be included in the normal licensing fees, and any such request will be subject to a separate written agreement and separate invoicing to Client.
b. User Count. Client is responsible for promptly notifying RxToolKit of each Client user utilizing the Software. Client users may not share login information with any other individual(s). Client acknowledges that RxToolKit may audit the number of Client users and adjust billings as appropriate. Client agrees to pay any adjusted billings upon receipt of an invoice from RxToolKit.
c. Electronic Payment. All payments due to RxToolKit shall be paid through the use of a debit or credit card or Electronic Funds Transfer from Client’s bank account. All amounts shall be in U.S. Dollars.
Fee Adjustments. Any time after the Initial Term, RxToolKit may, in its sole and absolute discretion, increase its fees upon ninety (90) days’ advance written notice.
d. Software Access. Client will cooperate with RxToolKit (including during and after Client’s normal business hours) to allow access to Client’s systems and Hardware for the purpose of assisting Client with gaining access to the Software (and any necessary installation). Client acknowledges that RxToolKit will not be responsible for any delays incurred while assisting Client with gaining access to (or installation of) the Software due to Client’s Hardware incompatibility issues, internet connectivity issues, or other related issues.
e. Client Existing Software and Hardware. Client acknowledges that RxToolKit is not reviewing Client’s Hardware and existing software in any manner, and RxToolKit is not responsible for any operating system problems or system integrity or incompatibility issues. If RxToolKit determines that Client’s Hardware and/or existing software is incompatible with RxToolKit’s Software, RxToolKit may recommend certain adjustments to Client’s Hardware or existing software that may assist in achieving compatibility. Client’s use of RxToolKit’s recommendations concerning Client’s Hardware and/or existing software is at Client’s sole discretion and responsibility.
RxToolKit grants to Client a non-transferable, non-exclusive, revocable license to use the software for Client’s private use during the Term (the “Usage License“). The Usage License entitles certain agreed upon Client users access to the Software via Client’s own Hardware systems or computers, subject to the following restrictions:
a. Client may not alter or modify the Software in any manner whatsoever;
b. Client may only use the Software for its own use and Software access shall be limited to the number of users that are listed on the Order Form or such additional Client users that are disclosed by Client in writing and agreed to by RxToolKit;
c. Client has the sole responsibility for maintaining any information that it inputs or loads (or asks RxToolKit to input or load on its behalf) into the Software;
d. Client may not (and Client may not permit anyone else to) alter, modify, rent, reverse engineer, create derivative works of, disseminate, or disassemble the Software;
e. Client acknowledges that RxToolKit is the exclusive owner and licensor of the Software and the intellectual property rights associated with RxToolKit and the Software;
f. Client acknowledges the proprietary right of RxToolKit to the Software, and while Client may make the Software available to consultants and independent contractors who are retained by Client to assist in its operations (subject to the number of users listed in the Order Form), Client shall ensure that its consultants and independent contractors adhere to the terms and conditions of this Agreement, including but not limited to, those related to RxToolKit’s proprietary rights and protection of RxToolKit’s confidential information;
g. Client shall be responsible for any consultants or independent contractors that use or have access to the Software, and such use or access shall cease upon the termination of this Agreement;
h. Client may make and retain a copy of the Client’s data input into the Software only as a protective backup of Client’s information contained in the Software.
i. Client acknowledges that RxToolKit solely and exclusively owns the Software, including, but not limited to, any updates, revisions, enhancements, manuals, code, or other information related to the Software.
a. RxToolKit does not warrant or represent that the Software is free from error or will meet Client’s Hardware system requirements. To the extent not prohibited by law, the Software and any and all updates and enhancements are provided “AS IS” with no warranties, express, implied, at law, or in equity, of any kind (including warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement and any warranty arising out of any course of performance, course of dealing, or usage of trade). RxToolKit specifically disclaims any warranty with respect to the Software’s compatibility with or how the Software will behave, communicate, or interplay with Client’s other software applications or Client’s Hardware systems. Client acknowledges that RxToolKit has recommended that Client’s current Hardware and software systems be tested with the Software, with non-critical data, before Client relies on the Software.
b. Client assumes the entire risk of the accuracy and use of external data, including but not limited to, RxToolKit loading data on Client’s behalf and data used in the Software from industry recognized external sources. Client acknowledges that RxToolKit is not responsible for any of Client’s flags or settings that activate or deactivate certain features of the Software.
c. It is Client’s responsibility to thoroughly test and verify the Software, including any updates, enhancements or revisions, and the functions of the Software before there is any reliance on the Software. Client assumes the entire risk of any losses from the operation of the Software. Any use of the Software is entirely at Client’s own risk.
d. The clinical information contained in the Software is intended as a supplement to, and not a substitute for, the knowledge, expertise, skill, and judgment of physicians, nurses, pharmacists, or other healthcare professionals involved in patient care. Likewise, any medication information contained in the Software is intended as a supplement to, and not a substitute for, such medication’s “package insert” approved by the United States Food and Drug Administration (“FDA”) and/or any other information provided by the FDA or other regulatory body or expert opinion related to such medication. The Software’s absence of a warning for a given medication, therapy or medication combination should not be construed to indicate that the medication, therapy, or medication combination is safe, appropriate, or effective in any given patient.
Client acknowledges that the professional duty to the patient in providing healthcare services lies solely with the healthcare professional providing patient care services. Client takes full responsibility for the use of information provided by the Software in patient care and acknowledges that the use of the Software in no way is intended to replace or substitute for professional judgment. RxToolKit does not assume any responsibility for actions of Client that may result in any liability or damages due to malpractice, failure to warn, negligence, or any other basis. Client shall ensure that all healthcare professionals using the Software are aware of the limitations of the use of the Software.
a. Indemnification by Client. Client hereby covenants and agrees to indemnify and hold RxToolKit harmless from and against any liability, loss, injury, or expense (including reasonable attorneys’ fees and court costs) imposed upon, incurred, or suffered by RxToolKit relating to or arising out of any allegation or claim that the use of the Software, or any information contained therein, caused or contributed to the personal injury or death of an individual unless the allegation or claim is determined by a court of competent jurisdiction to be the result of RxToolKit’s gross negligence or willful misconduct.
b. Proprietary Rights Indemnification by RxToolKit. RxToolKit shall indemnify, hold harmless, and defend Client against suits based solely on a claim by a third party that the use of the Software by Client under this Agreement infringes on any patent, copyright, trademark, or other property right in the United States, provided that Client gives RxToolKit prompt written notice of such suits and permits RxToolKit to control the defense thereof. Should the Software become, or in RxToolKit’s reasonable opinion be likely to become, subject of a claim of infringement for which Client is entitled to be indemnified against as set forth herein, RxToolKit, may at its option and in addition to any other remedies available to it:
RxToolKit’s reasonable opinion be likely to become, subject of a claim of infringement for which Client is entitled to be indemnified against as set forth herein, RxToolKit, may at its option and in addition to any other remedies available to it:
i. obtain a license at no cost to Client permitting its continued use of the Software;
ii. modify the Software (such modification must maintain comparable functionality and performance) in a manner so that the Software is no longer infringing;
iii. substitute other products of comparable functionality and performance that do not infringe any copyright, patent, trademark, or other intellectual property law in the United States; or,
iv. if (i) – (iii) are not commercially reasonable, in RxToolKit’s sole and absolute discretion, terminate Client’s Usage License upon written notice to Client whereupon Client shall immediately terminate all further use of the Software.
Client acknowledges that, after Client has gained access to the Software, its sole and exclusive remedy will be for RxToolKit to use reasonable efforts to resolve any alleged problem with the Software.
a. As material consideration for this Agreement, RxToolKit shall not be, nor shall its affiliates, officers, employees, agents, suppliers, or licensors be, liable for any damages that Client may incur as a result of the use or failure of the Software, including, but not limited to, lost profits or lost revenue; damages relating to goodwill; special, indirect, incidental, or consequential damages; general damages; or punitive damages.
b. The parties agree that in no event will RxToolKit be liable to Client under any theory of liability for any amount of monetary damages in excess of the monthly subscription fees actually paid to RxToolKit by Client during the most recent six (6) month lookback period. This is agreed by the parties to be a “cap” on any monetary damages.
c. The limitations and exclusions in this Section 9 will apply even if the remedies available under this Section 9 do not fully compensate Client for any losses or fails of its essential purpose.
a. Client’s failure to timely pay the monies due to RxToolKit is a material breach of this Agreement by Client, and RxToolKit may immediately terminate this Agreement and/or exercise any and all available remedies.
b. If either party defaults or fails to perform any provision of this Agreement prior to the termination of this Agreement, the non-defaulting party shall provide the defaulting party written notice of such default or failure. Upon receipt of such written notice, the defaulting party shall have thirty (30) days to cure such default or failure. If the defaulting party has not cured the breach within thirty (30) days, then the non-defaulting party may terminate this Agreement and/or exercise any and all available remedies. Notwithstanding the foregoing, RxToolKit may immediately terminate this Agreement for Client’s failure to timely pay monies due to RxToolKit which is governed by Section 10(a) or Client’s purported breach of Section 4(d).
Subject to Section 1, any party desiring to terminate this Agreement shall send a written notice of termination to the other party. Upon termination of this Agreement by RxToolKit, with or without cause, Client shall immediately discontinue all use of the Software; remove all copies of the Software from its Hardware (as applicable); and, within three (3) days of receipt of the notice of termination, return the Software to RxToolKit (as applicable). Except as otherwise set forth in this Agreement, Client shall not, directly or indirectly, retain any copy of the Software or any materials or documentation related to the Software. RxToolKit will provide termination assistance to Client, if mutually agreed in writing between the parties, and Client shall pay for said services on a time and material basis. Payment for such services is due upon presentation of an invoice to Client.
The parties agree to protect the privacy and security of all protected health information disclosed to one another as a result of this Agreement. The parties acknowledge and agree that each party will comply with all applicable rules, regulations, laws, and statutes governing the privacy and security of health information including, but not limited to, any rules and regulations adopted in accordance with and the provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Client is a covered entity under HIPAA, and RxToolKit is a business associate of Client. The terms of the Business Associate Agreement are set forth below as Exhibit A are hereby agreed to by the parties and incorporated by reference.
a. Hosting Services. RxToolKit hosts the Software and Client’s data input into the Software at a location off-site from RxToolKit’s premises via a third-party hosting service in accordance with all applicable federal rules, regulations, and laws (the “Hosting Services”). The Hosting Services are coterminous in all respects with the Term.
b. Internet Connectivity. The Hosting Services require Client to connect to the internet to gain access to the Software and Client’s data.
c. Hosting Fees. The fees set forth in the Order Form include the Hosting Services.
d. Client Data.
i. During the Term, the Hosting Services include the use of such third party’s servers to run the Software and house and back-up Client data.
ii. RxToolKit will retain Client’s data during the Term. Upon termination of this Agreement and with 30 days’ advance written notice by Client to RxToolKit, RxToolKit will provide Client’s data in textual format via a secure file transfer protocol (“SFTP”). After ninety (90) days from the date of termination of this Agreement, RxToolKit may, in its sole and absolute discretion, destroy all Client data and records, and RxToolKit makes no warranty or representation that it will keep any Client data or records ninety (90) days’ post termination.
e. Hosting Disclaimer. In addition to the disclaimers and limitations of liability set forth in this Agreement, RxToolKit does not represent or warrant guarantees of speed or availability of end-to-end connections and assumes no financial liability in the event Client experiences a service interruption and/or is unable to transmit and receive data, regardless of a determination that such interruption was caused by RxToolKit’s inability to provide the Hosting Services or such other services set forth in this Agreement.
a. Taxes. RxToolKit makes no representations concerning state, federal, or municipal taxes that may be assessed upon Client as a result of the terms and conditions of this Agreement. Client acknowledges that it is Client’s sole responsibility to pay any sales or other forms of tax that it incurs as a result of this Agreement or the use of the Software. If RxToolKit is required to collect sales or any other taxes as a result of this Agreement, Client shall pay the amount of tax when assessed.
b. Assignment. Client shall not assign, subcontract, or otherwise transfer the whole or any part of this Agreement, directly or indirectly, without RxToolKit’s written consent, which may be given or denied in its sole discretion. Notwithstanding the foregoing, either party may assign this Agreement in the case of a merger, corporate reorganization, or sale of all or a majority of its assets. This Agreement shall be binding upon and inure to the benefit of the parties hereto and their permitted assigns.
c. Notices. Any notice required or permitted to be given hereunder must be sent (i) via email to valid email addresses set forth on the Order Form, as applicable or (ii) in writing sent via FedEx with tracking and delivery confirmation or via USPS certified mail, return receipt requested. Such written notice sent via FedEx or USPS must be addressed to the addresses set forth on the Order Form or to such other address or addresses as either party may from time to time designate as its address by notice in writing to the other. All notices will be effective upon proof of mailing to said addresses in accordance with this Section.
d. No Waiver. No term or provision hereof shall be deemed waived, and no breach excused, unless such waiver or consent shall be in writing and signed by the party claimed to have waived or consented. No waiver of a term or provision hereof or consent to a breach, whether express or implied, will constitute a subsequent waiver of any term or provision hereof or consent to any subsequent breach.
e. Status of the Parties and Commitment to Others. It is expressly understood and agreed by the parties that nothing contained in this Agreement shall be construed to create a joint venture, partnership, association, or other affiliation or like relationship between the parties. The parties specifically agree that their relationship is and shall remain that of independent parties to a contractual relationship as set forth in this Agreement. Client represents and warrants that the execution of this Agreement with RxToolKit does not constitute a breach of any other agreement between Client and any third party.
f. Choice of Law; Venue. This Agreement will be construed, and the legal relations between the parties hereto will be determined, in accordance with the laws of the State of Texas without regard to its conflicts of laws rules. The parties agree that the state and federal courts sitting in Dallas, Dallas County, Texas, will be the proper forums for any legal controversy arising in connection with this Agreement, and the parties hereby irrevocably and unconditionally consent to the exclusive jurisdiction of such courts for such purposes. So far as is permitted under applicable law, this consent to personal jurisdiction will be self-operative and no further instrument or action, other than service of process, will be necessary in order to confer jurisdiction upon the parties in any such court.
g. Entire Agreement; Modification. This Agreement, together with any exhibits hereto, contain the entire and only agreement between the parties respecting the subject matter hereof and supersedes and cancels all previous negotiations, agreements, commitments, representations, and writings with respect thereto. This Agreement may not be amended, supplemented, released, discharged, abandoned, changed, or modified in any manner, orally or otherwise, except by an instrument in writing of concurrent or subsequent date signed by duly authorized officers or representatives of each of the parties hereto.
h. Counterparts; Binding Effect. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. This Agreement shall not be binding and effective unless and until it is signed by a representative of RxToolKit and returned to Client.
i. Identity Use. RxToolKit may disclose Client as a client for the limited purpose of marketing the Software.
j. Confidentiality. All terms, provisions, conditions, negotiations, correspondence, and other information pertaining to this Agreement shall be kept strictly confidential, and Client hereby covenants that Client and its agents and assigns shall not disclose the terms provisions or conditions of this Agreement to any third parties without the prior written consent of RxToolKit.
k. Right to Use Anonymized Data. Notwithstanding the foregoing, Client hereby grants to RxToolKit the irrevocable, worldwide, perpetual, royalty free right to access, use, reproduce, distribute, display, assign, sell, license, sublicense, and create derivative works from all data that is input into or contained in either the Software or a database used in connection with the Software (“Data”) for the purpose of (i) use in outcomes and other comparability databases; (ii) conducting studies; (iii) establishing disease management protocols and (iv) collecting, modifying, compiling, processing, analyzing, disseminating, reporting, manipulating, or otherwise using the Data in such manner as RxToolKit, in its sole discretion, may deem appropriate from time to time; provided that any such use shall be conducted in accordance with applicable law and in such a manner as to prevent the identification of Client’s patients by any party other than RxToolKit, its affiliates, and RxToolKit’s and its affiliates’ respective employees, agents, and contractors. RxToolKit and its affiliates shall require all such employees, agents, and contractors to maintain the confidentiality of any information ascertained from such Data that permits the identification of Client’s patients. Client shall take such measures as may be reasonably requested by RxToolKit from time to time to transfer Data to RxToolKit.
l. Noncompetition and Non-solicitation. Client covenants and agrees that, during the Term of this Agreement (including any Renewal Terms) and for a period of two (2) years after the termination of this Agreement for whatever reason, Client will not directly or indirectly engage in any of the following restricted activities: (i) solicit, induce, or communicate with any person who is an employee or contractor of RxToolKit or was an employee or contractor of RxToolKit during the final year of this Agreement about employment, hiring, or otherwise engaging as an employee, contractor, or otherwise; (ii) solicit, encourage, facilitate, or induce any client of RxToolKit or any client that was a client of RxToolKit within the final year of this Agreement to breach or terminate any agreement or contract with, or discontinue or curtail his, her, or its relationship(s) with, RxToolKit; and (iii) compete with RxToolKit by providing the same or similar software services in any county or counties adjacent to where RxToolKit has an existing client.
m. Force Majeure. Each party shall be excused from complying with the terms of this Agreement, if and for so long as such compliance is hindered or prevented by an event of Force Majeure. Notwithstanding the foregoing, in order to be excused from delay or failure to perform, such party must act diligently to remedy the cause of such delay or failure. As used in this Agreement, “Force Majeure” includes: acts of God, action of the elements, wars (declared or undeclared), insurrection, revolution, rebellions or civil strife, piracy, civil war or hostile action, terrorist acts, riots, strikes, differences with workmen, acts of public enemies, inability to procure material, equipment, fuel or necessary labor in the open market, equipment or fuel shortages, or any other causes beyond the control of either party. Such period of suspension shall not in any way invalidate this Agreement, but on resumption of operations, any affected performance by such party shall be resumed. Notwithstanding the foregoing, an event of Force Majeure shall not excuse payments owed to RxToolKit under this Agreement.
n. Severability. The provisions of this Agreement are severable; if any provision of this Agreement is determined by a proper court or authority to be invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability shall not affect or impair the remainder of this Agreement, and this Agreement shall remain in full force and effect without such invalid, illegal, or unenforceable provision.
o. Survival. The provisions of Sections 2, 3, 4, 5, 6, 7, 8, 9, 12, 13, and 14 (as applicable) of this Agreement shall continue and remain in full force after the expiration or earlier termination of this Agreement for any reason.
p. Attorney’s Fees. In any litigation arising out of this Agreement, the prevailing party in such litigation shall be entitled to recover its reasonable attorney’s fees and costs; provided that, prior to the bringing of any such litigation the parties shall exercise good faith efforts over a period of at least ten (10) days to try to amicably resolve any such dispute.
q. Rights to Injunctive Relief. Both parties acknowledge that the remedies at law may be inadequate to provide RxToolKit with full compensation in the event of Client’s breach of various sections and that RxToolKit shall therefore be entitled to seek and obtain injunctive relief in the event of any such breach. In the event that RxToolKit seeks injunctive relief, it shall be relieved from the 10-day pre-suit negotiating period described in Section 14(p).
(Exhibit A to Follow)
This Business Associate Agreement (this “BAA”) is entered into between RxToolKit, LLC, a Texas limited liability company (referred to herein as “BA”) and the person or entity identified as “Client” in the RxToolKit Software Agreement to which this BAA is attached as Exhibit A (referred to herein as “Covered Entity”). The parties desire this BAA be effective as of the date of the Arrangement (defined below).
WHEREAS, Covered Entity is a “Covered Entity” as defined in 45 C.F.R. Section 160.103;
WHEREAS, BA and Covered Entity have agreed for BA to provide certain services pursuant to that certain RxToolKit Software Agreement to which this BAA is attached as an exhibit (the “Arrangement”). Under the Arrangement, the parties have acknowledged and agreed that each party will comply with all applicable rules regulations, laws, and statutes governing the privacy and security of health information, including, but not limited to, any rules and regulations adopted in accordance with and the provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
WHEREAS, BA is a Business Associate of Covered Entity; and
WHEREAS, Covered Entity and BA desire that all PHI (as defined below) received by BA from Covered Entity or maintained or transmitted by BA on behalf of Covered Entity, or any PHI otherwise exchanged between the parties, be protected and secured pursuant to the terms of this BAA.
NOW, THEREFORE, in consideration of the mutual promises between the parties and for other valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby agree as follows:
a. Comprehensive Definition: The following terms, and their respective derivative forms, used in this BAA, when capitalized, shall have the meanings ascribed to them in the HIPAA Rules, as the same may be amended from time to time: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.
b. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, as the same may be amended from time to time.
c. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, as the same may be amended from time to time.
d. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, as the same may be amended from time to time.
e.“HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
f. “Protected Health Information” or “PHI” shall mean the same as the term PHI as defined in 45 C.F.R. §150.103, as the same may be amended from time to time.
a. BA agrees to not Use or Disclose PHI other than as permitted or required by the Arrangement or this BAA or as Required by Law.
b. BA will use all appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA or as Required by Law; BA will report to Covered Entity any suspected Breach of Unsecured PHI held by or under control of BA within fifteen (15) business days of the first day such suspected breach is known, or reasonably should have been known, to BA. In the case of either a suspected Breach of Unsecured PHI or an actual Breach of Unsecured PHI, BA will report to Covered Entity’s Privacy Officer all information as such Privacy Officer may request regarding any such suspected or actual Breach of Unsecured PHI and provide, in writing, a report of the suspected Breach of Unsecured PHI and all other information as may be requested by Covered Entity in such timeframes as Covered Entity may request. BA will cooperate with Covered Entity as may be requested by Covered Entity in order for Covered Entity to ensure any breach notification obligations of Covered Entity are fully met. Unless the context of the relationship specifically requires otherwise, the parties disclaim any agency relationship between Covered Entity and BA.
c. BA agrees to mitigate, to the extent practicable, any harmful effect that is known to BA of a Use or Disclosure of PHI by BA in violation of the requirements of this BAA.
d. BA agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA, including any Security Incident.
e. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2) of the HIPAA Rules, if applicable, BA agrees to ensure that any agent, including Subcontractors that create, receive, maintain, or transmit Covered Entity’s PHI on behalf of BA agree to the same restrictions and conditions that apply through this BAA to BA with respect to such information.
f. BA agrees to provide access, in the form, time, and manner requested by Covered Entity, to PHI in a “Designated Record Set” maintained by BA, if any, to Covered Entity in order for Covered Entity to meet the requirements under 45 CFR § 164.524 of the HIPAA Rules, and, as applicable, § 13405(e)(1) of the HITECH Act. In the event any individual requests access to his or her own PHI directly from BA, BA shall forward such request to Covered Entity upon receipt of same. Any denials of access to PHI requested shall be the responsibility of Covered Entity.
g. BA agrees to make any amendment(s) to PHI in a Designated Record Set maintained by BA, if any, that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the direction of and in the time and manner reasonably designated by Covered Entity.
h. BA agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the Use and Disclosure of PHI available to the Secretary or his designee, after written notice is received from Covered Entity or at a time designated by the Secretary, for purposes of the Secretary determining compliance with the HIPAA Rules.
i. BA agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528 of the HIPAA Rules, and, as applicable, § 13405(c) of the HITECH Act, in the time and manner designated by BA.
j. BA agrees to provide to Covered Entity or an Individual in the time and manner designated by Covered Entity all information needed to permit Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR §164.528 of the HIPAA Rules, and, as applicable, § 13405(c) of the HITECH Act. BA further agrees to forward to Covered Entity any request for an accounting of disclosures of PHI made directly by an individual to BA upon receipt of such request. To the extent BA maintains PHI in an electronic health record, BA agrees to account for all disclosures of such PHI upon the request of an individual for a period of at least three (3) years prior to such request (but no earlier than the effective date of this BAA), as required by HITECH; such accounting shall be directly to the individual if requested by Covered Entity.
k. BA agrees to comply with the prohibition on the sale of Electronic Health Records and PHI as set forth in §13405(d) of the HITECH Act. The term “Electronic Health Record” shall have the same meaning given to such term in §13400(5) of the HITECH Act.
l. BA agrees not to Use and Disclose PHI for marketing or fundraising purposes.
m. To the extent BA is to carry out one or more of Covered Entity’s Covered Entity obligations, to the extent any such obligation is expressly delegated by Covered Entity to BA and rightfully identified as a Covered Entity obligation under Subpart E of 45 CFR Part 164, BA will comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
n. BA shall request, Use, and Disclose PHI consistent with the Minimum Necessary Standards of the HIPAA Rules.
o. BA will comply with any additional requirements contained in the HIPAA Rules and the HITECH Act that are expressly applicable to Business Associates, which requirements are hereby incorporated into this BAA.
a. BA may only Use or Disclose PHI as necessary to perform services pursuant to the Arrangement, as Required by Law, or as permitted under this BAA.
b. Except for the specific Uses and Disclosures specified in Section 3(c) – (e) below, BA may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by a Covered Entity.
c. BA may Use PHI for the proper management and administration of BA or to carry out the legal responsibilities of BA.
d. BA may Disclose PHI for the proper management and administration of BA or to carry out the legal responsibilities of BA, provided that either Disclosures are Required By Law or BA obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person and the person notifies BA of any instances of which it is aware in which the confidentiality of the information has been breached.
e. BA may Use PHI to report violations of law to appropriate Federal and state authorities, consistent with 45 CFR §164.502(j)(1) of the HIPAA Rules.
f. BA may use PHI to provide Data Aggregation services as permitted by 45 CFR §164.504(e)(2)(i)(B).
a. Covered Entity shall notify BA of any limitation(s) in its Notice of Privacy Practices of Covered Entity in accordance with 45 CFR § 164.520 of the HIPAA Rules, to the extent that such limitation may affect BA’s Use or Disclosure of PHI.
b. Covered Entity shall notify BA of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect BA’s Use or Disclosure of PHI.
c. Covered Entity shall notify BA of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 of the HIPAA Rules, to the extent that such restriction may affect BA’s Use or Disclosure of PHI.
d. Covered Entity shall not request BA to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except that BA may Use or Disclose PHI as specified in Section 3(c) – (e) above.
e. Except to the extent BA controls access to Covered Entity’s electronic PHI, including any security services BA provides as part of the Arrangement, Covered Entity agrees it is responsible to implement and use appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 CFR Part 164 of the HIPAA Rules, to prevent unauthorized access to its electronic PHI that is maintained at a BA facility and/or BA‐provided equipment or is transmitted to and from a BA facility.
The terms requiring the safeguarding of PHI in this BAA shall survive termination of the Arrangement and shall terminate when all PHI is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the provisions in Section 7 below..
Except as provided in Section 7 below, upon termination of this BAA, for any reason, BA shall return or destroy all PHI received from, or created or received by BA on behalf of, Covered Entity that BA still maintains in its possession. This provision shall apply to PHI that is in the possession of Subcontractors or agents of BA. BA shall retain no copies of PHI.
In the event that BA determines that returning or destroying PHI is infeasible, BA shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. BA shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as BA maintains such PHI.
In accordance with Section 13404(b) of the HITECH Act and subject to BA’s termination rights in the Arrangement, BA may terminate both this BAA and the Arrangement if (a) BA knows of a pattern of activity or practice of Covered Entity that constitutes a violation of Covered Entity’s obligations under the HIPAA Rules or (b) Covered Entity has breached a material term of this BAA, provided that Covered Entity shall have a cure period of 30 days following its receipt of notice of the breach from BA unless a cure is not feasible, in which case there shall be no cure period. If termination is not feasible, then BA shall report the violation to the Secretary. BA may terminate the Arrangement without cause upon 60 days’ notice.
Covered Entity may terminate this BAA and the Arrangement if (a) Covered Entity knows of a pattern of activity or practice of BA that constitutes a material breach or violation of BA’s obligations under the HIPAA Rules or (b) BA has breached a material term of this BAA, BA shall have a cure period of 30 days following its receipt of notice of the breach from Covered Entity unless a cure is not feasible, in which case there shall be no cure period. If termination is not feasible, then Covered Entity shall report the violation to the Secretary. Covered Entity may terminate the Arrangement without cause upon 60 days’ notice.
The terms of this BAA are not intended nor should they be construed to grant any rights to parties other than BA and Covered Entity.
No delay or omission on the part of either party in exercising any right hereunder shall operate as a waiver of such right or of any other right under this BAA. A waiver on any one occasion shall not be construed as a bar to or waiver of any right or remedy on any further occasion. The election of either party of a particular remedy on default will not be exclusive of any other remedy, and all rights and remedies of the parties hereto will be cumulative.
Any amendment to this BAA shall not be binding on either of the parties to this BAA unless such amendment is in writing and executed by the party against whom enforcement is sought.
To the extent any provisions of this BAA conflict with a provision of the Arrangement with respect to issues related to the privacy and security of PHI this BAA will control.