Provider User Agreement
Last updated: December 15th, 2017
Welcome to Klara Technologies, Inc. ("Klara," “We,” “Us" or “Our”) and to the Klara portal within Klara’s website located at www.klara.com (the "Portal"). This Provider User Agreement (the “Agreement”) is entered between Klara and Client (as such term is defined in the Letter of Agreement). The words "You" and “Your” as used herein refer to all individuals and/or entities accessing or using the Portal on behalf of the individual and/or entity entering into this Provider User Agreement, for any reason.
PLEASE READ THIS PROVIDER USER AGREEMENT (THE “AGREEMENT”) CAREFULLY BEFORE USING THIS PORTAL OR SUBMITTING ANY MATERIALS GENERATED BY YOU (“PROVIDER-GENERATED MATERIAL”). This Agreement, as it might be revised from time to time, governs, among other things: (i) Your access to and use of the Portal and its related products and services; (ii) the manner in which You provide any and all material to Klara at any time after clicking “I Agree”; and (iii) communications between You and Klara with respect to the Portal and its and other Klara products and services (collectively, the “Services”). If You do not agree with the terms and conditions below, or do not agree to be bound by them, do not click the “I AGREE” option, do not create an account, or use the Portal or its related services. If You do not agree with these terms and conditions in full, Klara does not grant You any right, license, or otherwise authorize You to access or use this Portal or any related products or services, in any fashion for any purpose whatsoever. Whenever referenced herein, Klara shall refer to Klara Technologies, Inc. and its shareholders, officers, affiliates, employees, directors, agents, subcontractors and representatives, collectively.
IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND THE ENTITY TO ALL TERMS AND CONDITIONS OF THIS AGREEMENT AND, “YOU” AND “YOUR” IN THIS AGREEMENT SHALL REFER TO SUCH ENTITY OR PRACTICE. IF YOU DO NOT HAVE SUCH AUTHORITY OR IF YOU DO NOT AGREE TO ALL THE TERMS AND CONDITIONS IN THIS AGREEMENT, YOU MAY NOT SELECT THE “I AGREE” BUTTON AND MAY NOT USE THE PORTAL OR ITS RELATED PRODUCTS AND SERVICES. By clicking the “I AGREE” option, creating an account, providing Provider-Generated Material, or paying for or using our Service(s), You accept that the terms, obligations, rights and conditions specified here will form a legally binding agreement between You and Klara, and certify that:
You have read and understand all of the terms and conditions of this Agreement; You are either the practitioner identified in the profile accessed through this Portal (“the Profile”), or are expressly authorized by the practitioner identified in the Profile to act as an agent on behalf of the practitioner, entity, or practice;
You agree to be bound by all of the terms and conditions of this Agreement and acknowledge that this Agreement is the legal equivalent of a signed, written contract for services between You and Klara.
B. MODIFICATIONS TO THE AGREEMENT This Agreement may be amended only by a written instrument signed by both parties.
D. DESCRIPTION OF KLARA SERVICES Klara is a messaging service that acts as a gateway portal to facilitate the exchange of health information between physician and patient, and among physicians and other medical service providers, including, without limitation, pharmacies, health care facilities, and medical staff within a facility or practice. Klara is not a medical provider or telehealth service as such terms may be defined under state or federal laws.
E. ACCESS TO AND USE OF THE PORTAL Klara will provide You with access to Klara’s cloud-based communication Portal. Klara reserves the right, at its sole discretion, to restrict, suspend or terminate Your access to all or any part of the Portal at any time for Cause (defined below) without prior notice or liability. As set forth in 4.5 herein, Klara may change, suspend or discontinue all or any aspects of the Portal at any time, but will make commercially reasonable efforts to inform You of such disruption, suspension, or material changes to the Portal prior to proceeding with these changes. Klara may also temporarily suspend or discontinue, without notice, a Klara session at any time should Klara reasonably believe that such action is required, or to avoid an imminent threat of harm to Klara, or to You or your patients.
Klara shall provide access to the Portal twenty-four (24) hours, seven (7) days a week excluding periods of time necessary for Portal maintenance and internet performance issues. Klara reserves the right to have planned outages for hardware and software maintenance. You acknowledge system maintenance is a necessary element towards Klara providing the Portal as a functional platform and You understand that under no circumstance shall You be entitled to any abatement of any Fees or reimbursement for any costs or expenses associated with periodic Portal downtime or periodic limited or lack of functionality.
License to Portal. Subject to Your compliance with the terms and conditions of this Agreement, Klara will grant to You a non-exclusive, non-transferable, limited right and license, solely during the Term (as defined herein) of this Agreement, to access, use, cache, perform, and display the Portal options and features and all reference materials and associated materials, solely for the purpose of use the Portal and its related products and services.
Hosting. The hosting of the Portal shall consist of secure hosting and storing of certain Confidential Information, as defined in Section L of this Agreement, including, but not limited to, applicable Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, ("HIPAA") and transmitting the Confidential Information and other required information to You, and Klara’s designated service providers.
Your Data Security Obligations. You are fully responsible for the security of Provider-Generated Material prior to uploading it to the Portal or that is otherwise in Your possession. You agree to comply with all applicable state and federal laws and rules in connection with Your collection, security, and dissemination of any PHI on Your site. You agree that at all times You shall be compliant with HIPAA and HITECH requirements, as applicable. The steps You will need to take to comply with HIPAA and HITECH when using Klara will vary based on Your implementation.
Suspension or Termination. Klara reserves the right, in its sole discretion, to restrict, suspend or terminate Your access to all or any part of the Portal at any time for Cause (defined below) without prior notice or liability. Klara may change, suspend or discontinue all or any aspects of the Portal at any time, including the availability of any feature, database, or content, without prior notice or liability. Klara will make reasonable, good faith efforts to inform You of pending suspension or termination. Cause means: (i) a material breach of this Agreement that remains uncured within ten (10) business days, if deemed curable by Klara in its sole discretion, upon written notice to You; (ii) Your failure to remit payment as required hereunder; or (iii) Klara reasonably believes that You are engaged in any conduct that violates, or could be deemed to violate, this Agreement, or any law, rule or regulation.
Retention of Content. As long as Your Portal account is active, You shall be responsible for managing and retaining any of Your Content. Other than as required by applicable law or legal process or as otherwise agreed, Klara shall not be responsible for retaining any of Your Content after account termination or for archiving purposes. You acknowledge that all Content may be deleted by Klara after the account is terminated, subject to the terms of this Agreement. For the avoidance of doubt, Klara does not provide record keeping or other archival services. You will keep copies of all Content delivered or otherwise made available by or on behalf of You or your patient users to Klara as part of the Services.
Business Continuity. In the event that You or Klara terminate this Agreement, or Klara is unable to continue providing the Portal to You, Klara will provide You with access to the most current data set, as well as all necessary information, including application settings and utilities, in order to facilitate a transition of Your Content to another provider or to You for in-house implementation, provided that You are at such time in good standing in all then current fees and charges and Klara receives written request from You for a copy of Your Content no later than 30 days after termination (the “Termination Transition Period”). Klara will provide the same data backups and settings regardless of which party terminates this Agreement or the reason for termination, and each party will reasonably cooperate to effect a timely and orderly transition of services, if applicable, to You or to any designated third party identified by You in writing to Klara within the Termination Transition Period. Notwithstanding the foregoing, if, upon termination, You request that Klara provide transitional services in addition to what is set forth above in this Section E(7), including, but not limited to, exporting the Content on your behalf, or making Klara experts available to You for assistance, Klara may, in its reasonable discretion, charge You a reasonable cost-based fee consistent with industry pricing for providing such additional transition services.
License Restrictions. You shall not reverse engineer, decompile, disassemble, translate, or attempt to learn the source code of the Portal or its related services. Unless expressly set forth herein, You may not use, copy, modify, create derivative works of, distribute, sell, assign, pledge, sublicense, lease, loan, rent, timeshare, deliver, or otherwise transfer, directly or indirectly, the Portal (in whole or in part) or any rights in the Portal or its related products and services. You may not resell or act as a service bureau for the Portal or any component thereof. You may not remove from the Portal or its related products and services, or alter or add, any Marks or copyright notices or other proprietary rights markings.
F. COMPLIANCE WITH APPLICABLE LAWS You hereby acknowledge that Klara is software provider with no professional licensure certification, and understand that Klara is not a medical provider. You understand that You are responsible for all aspects of professional services provided by You. You agree to: (a) adhere to the provisions under this Agreement; and (b) comply with the requirements of law and with all ordinances, statutes, regulations, directives, orders, or other lawful enactments of pronouncements of any local, state, federal or other lawful authority applicable to either of the parties. You further agree: (i) not to use the Portal or any related services for any illegal purposes; and (ii) to comply with all applicable local, state, national, and international laws and regulations, including, without limitation, laws relating to recording conversations, privacy, and data protection and public displays or performances, and United States export laws and regulations regarding the transmission of technical data exported from the United States through the Software or Services.
G. REPRESENTATIONS AND WARRANTIES You represent and warrant the following:
No Conflict. You are not currently a party, and shall not be a party, to any agreement which conflicts with the terms of this Agreement.
Warranty of Content. You represent that You: (i) are the owner or authorized licensee of any and all Content; (ii) will not publish, post, upload, record, or otherwise distribute or transmit Content using Portal that: (a) infringes or would infringe any copyright, patent, trademark, trade secret, or other proprietary right of any party, or any rights of publicity or privacy of any party; (b) violates any law, statute, ordinance, or regulation (including without limitation the laws and regulations governing export control, unfair competition, anti-discrimination, false advertising, privacy, or data security); (c) is profane, defamatory, libelous, obscene, indecent, threatening, harassing, or otherwise unlawful; (d) is harmful to minors or pornographic; (e) contains any viruses, Trojan horses, worms, time bombs, malware, cancelbots, corrupted files, or any other similar software, data, or programs that may damage, delete, detrimentally interfere with, surreptitiously intercept, or expropriate any system, data, personal information, or property of another; or (f) is materially false, misleading, or inaccurate.
Ownership of Content. Klara does not claim ownership of any Content. In connection with our provision of the Portal to You, except as otherwise provided in this Agreement, as between You and Us, You retain all right, title, interest, and responsibility for, in, and to the Content. You acknowledge that the Portal and its related products and services are provided by automated means and that Klara personnel will not access, use, or disclose any Content, except as necessary to provide You with Portal products and services, including, without limitation, the following: (i) during a service interruption as necessary to restore applicable Content at Your request; or (ii) as reasonably deemed necessary or advisable by Klara, at its sole but reasonable discretion, to conform to applicable legal requirements or to comply with legal process. You hereby grant to Klara a nonexclusive, worldwide, royalty-free, fully-paid, irrevocable, transferable license to host, cache, store, display, record and copy Content solely for the purpose of providing the Portal to You during the Term of this Agreement.
H. PAYMENTS & FEES Unless otherwise set forth in a duly-executed and mutually agreed upon amendment to this Agreement, pricing for use of the Portal and its related products and services is set forth in the Letter Agreement between the parties. Notwithstanding the foregoing, in the event that there is a material change in the size, scope and/or complexity of the Services provided by Klara to You under this Agreement, including, but not limited to, the provision of additional licenses for the Portal, or the provision of additional functionality for the Portal, You agree that Klara may amend the pricing structure set forth in the Letter Agreement to reflect such material change upon 30 days prior written notice to You, provided, however, that such amendment occur no more frequently than once per year. You agree to pay Klara the applicable fees and charges for use of the Portal and its related products and services. You agree to pay Klara the applicable fees and charges for use of the Portal and its related products and services. Unless otherwise stated in a duly-executed and mutually agreed upon amendment to this Agreement, each proper, undisputed, invoice is due and payable by You immediately upon receipt of such notice. Klara reserves the right to charge late fees of up to 1% monthly on balances outstanding beyond 60 days of invoice date.
I. LIMITATION OF LIABILITY & DISCLAIMER
YOU ACKNOWLEDGE THAT ACCESS TO THE PORTAL WILL BE PROVIDED OVER VARIOUS FACILITIES AND COMMUNICATIONS LINES, AND INFORMATION WILL BE TRANSMITTED OVER LOCAL EXCHANGE AND INTERNET BACKBONE CARRIER LINES AND THROUGH ROUTERS, SWITCHES, AND OTHER DEVICES (COLLECTIVELY, “CARRIER LINES”) OWNED, MAINTAINED, AND SERVICED BY THIRD-PARTY CARRIERS, UTILITIES, INTERNET SERVICE PROVIDERS, ALL OF WHICH ARE BEYOND KLARA’s CONTROL. KLARA ASSUMES NO LIABILITY FOR OR RELATING TO THE INTEGRITY, PRIVACY, SECURITY, CONFIDENTIALITY, OR USE OF ANY INFORMATION WHILE IT IS TRANSMITTED ON THE CARRIER LINES, OR ANY DELAY, FAILURE, INTERRUPTION, INTERCEPTION, LOSS, TRANSMISSION, OR CORRUPTION OF ANY DATA OR OTHER INFORMATION ATTRIBUTABLE TO TRANSMISSION ON THE CARRIER LINES. USE OF THE CARRIER LINES IS SOLELY AT YOUR RISK AND IS SUBJECT TO ALL APPLICABLE LOCAL, STATE, NATIONAL, AND INTERNATIONAL LAWS.
KLARA IS NOT RESPONSIBLE FOR UNAUTHORIZED ACCESS TO YOUR DATA, FACILITIES OR EQUIPMENT BY INDIVIDUALS OR ENTITIES USING THE PORTAL OR FOR UNAUTHORIZED ACCESS TO, ALTERATION, THEFT, CORRUPTION, LOSS OR DESTRUCTION OF YOUR DATA FILES, PROGRAMS, PROCEDURES, OR INFORMATION THROUGH THE SYSTEM, WHETHER BY ACCIDENT, FRAUDULENT MEANS OR DEVICES, OR ANY OTHER MEANS BY ANY AUTHORIZED USER, OR ANY OTHER PERSON, ENTITY, THIRD PARTY OR OTHER. YOU ARE SOLELY RESPONSIBLE FOR VALIDATING THE ACCURACY OF ALL OUTPUT AND REPORTS, AND FOR PROTECTING YOUR DATA AND PROGRAMS FROM LOSS BY IMPLEMENTING APPROPRIATE SECURITY MEASURES, INCLUDING ROUTINE BACKUP PROCEDURES.
IN THE EVENT THAT YOU TRANSMIT, INTRODUCE, OR OTHERWISE CAUSE ANY TECHNICAL DISRUPTION OF THE PORTAL, YOU AGREE TO BE RESPONSIBLE FOR ANY AND ALL LIABILITIES AND COSTS AND EXPENSES (INCLUDING ATTORNEYS’ FEES AND EXPENSES) INCURRED BY KLARA ARISING FROM ANY AND ALL CLAIMS BROUGHT BY THIRD PARTIES BASED UPON SUCH TECHNICAL DISRUPTIONS. "TECHNICAL DISRUPTION" MEANS DISTRIBUTION OF UNSOLICITED ADVERTISING OR CHAIN LETTERS, PROPAGATION OF COMPUTER WORMS, VIRUSES OR OTHER HARMFUL CODE, AND/OR USING THE SITE TO MAKE UNAUTHORIZED ENTRY TO ANY OTHER MACHINE ACCESSIBLE VIA THE SITE. YOU ARE FURTHER SOLELY RESPONSIBLE FOR THE CONTENT OF ANY TRANSMISSIONS USING THE SITE AND AGREE NOT TO UPLOAD, POST OR OTHERWISE MAKE AVAILABLE ON THE PORTAL ANY MATERIAL PROTECTED BY A PROPRIETARY RIGHT OF A THIRD PARTY WITHOUT FIRST OBTAINING THE EXPRESS PERMISSION OF THE OWNER OF SUCH PROPRIETARY RIGHT OR ANY CONTENT, INCLUDING, WITHOUT LIMITATION, ANY THREATENING, DEFAMATORY, OBSCENE, OFFENSIVE, OR ILLEGAL CONTENT. YOU SHALL BE SOLELY LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (INCLUDING ATTORNEYS' FEES AND EXPENSES) ARISING OUT OF INFRINGEMENT OF PROPRIETARY RIGHTS OR ANY OTHER HARM ARISING FROM THE UPLOADING, POSTING OR OTHER SUBMISSION OF MATERIALS BY YOU.
Notwithstanding anything to the contrary contained IN THIS SECTION I OR IN SECTION K HEREIN, no party to this Agreement will be liable to another party to this Agreement for consequential, incidental, Indirect, punitive or exemplary damages of any kind (including, without limitation, loss revenues or profits, loss of use, loss OF goodwill or reputation) or claims, debts, liabilities, obligations, costs, expenses, actions, causes of action and claims for relief based on contract, tort or otherwise (including negligence and strict liability) arising from or relating to the Services, or otherwise arising from or relating to the use of the Portal, or FROM this Agreement, regardless of whether such party was advised, had other reason to know, or in fact knew of the possibility thereof and regardless of whether or not such loss or damage was caused by or contributed to by either party’s negligent performance or failure to perform any obligation. In no event will the liability of any party to this Agreement for damages or alleged damages under this Agreement, whether in contract, tort or any other legal theory, exceed the total amounts paid to Klara during the twelve (12) months preceding the event giving rise to the claim. THIS SECTION I SHALL SURVIVE THE TERMINATION OF THE AGREEMENT.
J. STANDARD OF CARE Klara shall provide the Services under this Agreement in a good workmanlike manner, with that standard of care, skill and diligence that a similarly situated experienced service provider would use when acting under similar circumstances and in accordance with the applicable specifications and industry standards. Representatives of Klara assigned to perform services under this Agreement will be properly trained and supervised with respect to the conduct of their business activities hereunder.
K. INDEMNIFICATION Each party agrees to release, indemnify and hold the other party harmless from and against any losses, damages, liabilities, demands, administrative actions, government investigations, payor audits, costs, fines, fees, expenses (including reasonable attorneys’ fees, expert fees and disbursements) penalties, claims, suits and actions (collectively “Claims”), caused by, asserted to have been caused by, arising out of, as a result of, or related to, directly or indirectly, any act or omission by the other party, the other party’s employees, affiliates, subcontractors or assigns, including, but not limited to, (i) the use, non-use, misuse, access or unauthorized access of the Portal; (ii) a material breach of the terms of this Agreement including representations, warranties, covenants and obligations; (iii) any act or omission of the other party that results in submitting any false or fraudulent claim to any governmental or private payor; (iv) any violation of law, rule or regulation; or (v) any other acts or omissions. For the avoidance of doubt, this Section K is subject to the limitation of liability set forth in Section I herein. This Section K shall survive the termination of this Agreement.
L. CONFIDENTIALITY The parties recognize that they may come in contact with or become familiar with information that the other party may consider confidential, such as certain proprietary, financial or commercial information, including, but not limited to, records, files, reports, protocols, policies, manuals, databases, processes, procedures, computer systems, materials, and other documents created or maintained relating to the operation of the party’s organization (collectively, “Confidential Information”). The parties agree that they will not, and that their staff or designees will not, during or after the Term of this Agreement, disclose any confidential or proprietary information to any other person or entity for any reason or purposes whatsoever, without written consent of the other party. All Confidential Information disclosed hereunder will remain the exclusive and confidential property of the disclosing party. The receiving party will not disclose the Confidential Information of the disclosing party and will use at least the same degree of care, discretion and diligence in protecting the Confidential Information of the disclosing party as it uses with respect to its own Confidential Information, but in no case less than reasonable care; provided, however, that Klara may disclose PHI included within the Confidential Information in accordance with the Business Associate Agreement by and between the parties. The receiving party will limit access to Confidential Information to its affiliates, employees and authorized representatives with a need to know and will instruct them to keep such information confidential. Notwithstanding the foregoing, the receiving party may disclose Confidential Information of the disclosing party (i) to the extent necessary to comply with any Law; (ii) as appropriate and with prior notice where practicable, to respond to any summons or subpoena or in connection with any litigation; and (iii) to any vendor with which Klara has a HIPAA compliant relationship. It is expressly agreed that in no event shall Klara be liable for the disclosure of any Confidential Information about You that is or becomes generally available to the public other than as a result of any gross negligence or willful misconduct by Klara or affiliates or any of their officers, directors, employees, representatives and agents, or that is or has become known or available to Klara on a non-confidential basis from a source that, to the best of Klara’s knowledge, is not prohibited from disclosing such information, or that was independently developed by Klara or affiliates or any of their officers, directors, employees, representatives and agents without reference to such information. You acknowledge that Klara may from time to time communicate directly with You for the purpose of marketing its products and services or those of its recommended vendors, and may use Confidential Information to do so. The obligations of Klara set forth in this Section L shall not apply to any suggestions and feedback for product or service improvement, correction, or modification provided by You in connection with any present or future Klara product or service. In addition, subject to any limitations imposed by HIPAA, with Your consent (which is hereby given), Klara may use internet/website analytics software tools and programs that collect, transmit, store, disclose and analyze certain information about the actual use of the hosted programs by You (such as, but not limited to, pages viewed, links clicked, help functions used and other workflow information); such information shall not be considered Confidential Information hereunder and may be used by Klara for the purpose of license administration, error resolution and product analysis and improvement.
M. USE OF NAME AND PUBLICITY
Except as required by law, You shall not: (i) use the name, trademark, trade dress, or any other name or mark by which Klara is known, or of any employee, officer, director or affiliate of Klara or any adaptation, acronym or name by which Klara is commonly known, in any advertising, promotional or sales literature or in any publicity without the prior written approval of Klara; or (ii) publish any information about the Portal, without the prior written permission of Klara.
N.TERM AND TERMINATION
This Agreement shall be effective as of the date of the Letter Agreement between the parties (the “Effective Date”) and shall have a term concurrent to the term set forth in the Letter Agreement (the “Term”). Either party may terminate this Agreement by providing thirty (30) days prior written notice of such termination to the other party.
This Agreement shall be governed by, and construed in accordance with the laws of the State of New York, exclusive of conflict of law rules. Each party to this Agreement hereby agrees and consents that any legal action or proceeding with respect to this Agreement shall only be brought in the courts of the state of New York. This Agreement, along with any exhibits, constitutes the entire agreement between the parties with respect to the subject matter contained herein, and this Agreement supersedes and replaces any former agreement or addendum entered into by the parties. This Agreement may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or electronic signatures to this Agreement shall be deemed original signatures to this Agreement.
P. FORCE MAJEURE
Klara has no liability to You if the Portal is inaccessible or data destroyed by fire, strike, theft, acts of God, or any other cause. In the event of system malfunction, for whatever reasons, or inability to access the Portal, Klara shall not be liable for damage to or loss of any of Your data and You acknowledge that You have been advised that You are responsible for maintaining Your own data by use of regular backup procedures. You agree to hold Klara harmless from any liability resulting from violations of local, state or federal regulation relating to the inaccessibility to the Portal for reasons set forth in this Section P. You agree to indemnify and hold Klara harmless from costs associated with the defense of Klara, including attorney’s fees, in any such local state or federal proceeding.
BUSINESS ASSOCIATES AGREEMENT
This Business Associate Agreement (“BA Agreement”), (the “Effective Date” is when covered entity signed the Letter of agreement) is between the “Covered Entity” (within the meaning as defined at 45 CFR 160.103) and Klara Technologies, Inc. (the “Business Associate”) (within the meaning as defined at 45 CFR 160.103), for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder.
WHEREAS, Covered Entity and Business Associate are parties to an arrangement pursuant to which Business Associate provides certain services to Covered Entity as further set forth in that certain agreement by and between the parties (the “Underlying Services Agreement”);
WHEREAS, in connection with Business Associate’s services pursuant to the Underlying Services Agreement, Business Associate may assist in the performance of a function or activity involving the use or disclosure of protected identifiable health information (“PHI”), which information is subject to protection under the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (collectively referred to herein as the “HIPAA Rules”).
WHEREAS, in light of the foregoing and the requirements of HIPAA Rules, Business Associate and Covered Entity agree to be bound by the following terms and conditions.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
General Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic PHI, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, PHI, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.
Obligations and Activities of Business Associate.
a. Use and Disclosure. Business Associate agrees not to use or disclose PHI other than as permitted or required by this BA Agreement or as Required By Law. Business Associate shall comply with the provisions of this BA Agreement relating to privacy and security of PHI and all present and future provisions of the HIPAA Rules that relate to the privacy and security of PHI and that are applicable to Covered Entity and/or Business Associate.
b. Permitted Uses and Disclosures by Business Associate.
i. Required For Provision of Services. Except as otherwise limited in this BA Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as reasonably required in performing its services pursuant to the Underlying Services Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary standards set forth in the HIPAA Rules. Business Associate may also de-identify PHI received from Covered Entity consistent with the HIPAA Rules, and/or perform data aggregation services consistent with the HIPAA Rules.
ii. Use for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
iii. Disclosure for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may make uses and disclosures and requests for PHI for the proper management and administration of the Business Associate, provided that (1) disclosures are Required by Law, (2) disclosures are consistent with the minimum necessary standards set forth in the HIPAA Rules, or (3) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by this BA Agreement. Without limiting the generality of the foregoing sentence, Business Associate will:
Comply with its administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the HIPAA Rules;
Ensure that any agent, including a subcontractor, to whom Business Associate provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect Electronic PHI;
Promptly report to Covered Entity any Security Incident of which Business Associate becomes aware, provided, however, that the parties agree that Business Associate need not report to Covered Entity the ongoing existence of common, persistent security threats, including without limitation, “pings” and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and phishing attempts, to the extent such activity does not result in unauthorized access to, or use or disclosure of, Covered Entity’s PHI.
Promptly report to Covered Entity any use or disclosure of PHI of which it becomes aware not provided for by the BA Agreement; and
v. Promptly report to Covered Entity following the discovery of any Breach as required at 45 CFR 164.410,.
d. Mitigation. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its employees, officers or agents in violation of the requirements of this BA Agreement (including, without limitation, any Security Incident or Breach of Unsecured PHI). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this BA Agreement and/or any Security Incident or Breach. In the event of a Breach, Business Associate shall prepare of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA Rules, or any other Federal or State laws, rules or regulations, provided that Business Associate shall reasonably cooperate and coordinate with Covered Entity in the preparation of any such reports or notices.
e. Agents. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by, Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this BA Agreement to Business Associate with respect to such information.
f. Access to Designated Record Sets. To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under HIPAA Rules. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
g. Amendments to Designated Record Sets. To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to the HIPAA Rules at the request of Covered Entity or an Individual, and in the time and manner designated by the Covered Entity. If an Individual makes a request for an amendment to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three business (3) days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
h. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
i. Accountings. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the HIPAA Rules.
j. Requests for Accountings. Business Associate agrees to provide to Covered Entity or an Individual, in the time and manner designated by the Covered Entity, information collected in accordance with this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the HIPAA Rules. If an Individual makes a request for an accounting directly to Business Associate, Business Associate shall notify Covered Entity of the request within three business (3) days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
Covered Entity Obligations.
a. Notification of Privacy Practices and Restrictions.
i. Limitation(s) in Privacy Policies. Covered Entity shall notify Business Associates of any limitation(s) in its notice of privacy practices, to the extent that any such limitation may affect Business Associate’s uses or disclosure of PHI.
ii. Changes/Revocation of Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
iii. Restriction of PHI. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that covered entity has agreed to or is required to abide by under the HIPAA Rules, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
b. Permissible Requests by Covered Entity. Except as otherwise Required By Law or set forth herein, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
Term and Termination.
a. Term. Except as otherwise specified herein, this BA Agreement will be effective as of the Effective Date and will terminate on the date when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed, or, if it is infeasible to destroy PHI, protections are extended by Business Associate to such information, in accordance with the termination provisions in this Section 4.
b. Termination for Cause. Upon either party’s knowledge of a material breach of HIPAA or this BA Agreement by the other party, the non-breaching party will provide a reasonable opportunity for the breaching Party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within a reasonable time specified by the non-breaching party, this Agreement will terminate effective upon delivery of written notice from the non-breaching party to the breaching Party. If the breaching party has breached a term of HIPAA or this Agreement and cure is not possible, this Agreement will terminate effective immediately upon delivery of written notice from the non-breaching party to the breaching party.
Obligations of Business Associate Upon Termination.
Upon termination of this Agreement, for any reason, Business Associate will destroy all Protected Health Information received from the Covered Entity, or created or received by Business Associate on behalf of the Covered Entity. Business Associate will retain no copies of the Protected Health Information.
In the event that Business Associate determines that destroying the PHI is not feasible, Business Associate will extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the destruction not feasible, for so long as Business Associate maintains such PHI.
a. Survival. Sections 4 and 5 of this BA Agreement shall survive termination.
b. Indemnity. Covered Entity agrees to indemnify, defend and hold harmless Business Associate and its employees, directors/trustees, members, professional staff, representatives and agents (collectively, the “Indemnitees”) from and against any and all claims (whether in law or in equity), obligations, actions, causes of action, suits, debts, judgments, losses, fines, penalties, damages, expenses (including attorney’s fees), liabilities, lawsuits or costs incurred by the Indemnities which arise or result from a breach of the terms and conditions of this BA Agreement or a violation of the HIPAA Rules by Covered Entity or its employees or agents. Covered Entity’s indemnification obligations hereunder shall not be subject to any limitations of liability or remedies in the Underlying Services Agreement.
c. Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
d. Amendment. The Parties agree to take such action as is necessary to this BA Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and any other applicable law.
e. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules.
f. Governing Law. This BA Agreement shall be governed by, and construed in accordance with the laws of the State of New York, exclusive of conflict of law rules. Each party to this BA Agreement hereby agrees and consents that any legal action or proceeding with respect to this BA Agreement shall only be brought in the courts of the state of New York.
g. Entire Agreement. This BA Agreement constitutes the entire agreement between the parties with respect to the subject matter contained herein, and this BA Agreement supersedes and replaces any former business associate agreement or addendum entered into by the parties.
h. Counterparts. This BA Agreement may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or electronic signatures to this BA Agreement shall be deemed original signatures to this BA Agreement.
i. Amendments. No amendments or modifications to the BA Agreement shall be effected unless executed by both parties in writing.