TRUECARE SERVICES AGREEMENT
This Services Agreement (the “Agreement”) is made and entered into effective as of (the “Effective Date”) by and between (“Client”) and TrueCare24, Inc., a Delaware corporation (“TrueCare24”).
- TrueCare24 provides and/or arranges for the provision of certain health and wellness services as described in Exhibit A (together, the “Services”).
- To facilitate applicable Services, TrueCare24 has developed a proprietary Wellness Dashboard (the “Application”).
- Client desires to engage TrueCare24 to provide Services to its members (“Participants”) and to use the Application to conduct the services and TrueCare24 is willing and able to provide such Services and to grant a software license to use the Application in accordance with the terms and conditions set forth in this Agreement.
NOW, THEREFORE, in consideration of the foregoing recitals, and in accordance with the terms and conditions set forth in this Agreement, the parties hereto hereby agree as follows:
- Engagement. Client and TrueCare24 hereby agree that TrueCare24 shall provide to Participants those Services selected on Exhibit A by Client. Services shall not include any telehealth or medical services, such as consultations with a Practitioner.
- Relationship of Parties. The relationship of Client and TrueCare24 established by this Agreement is that of independent contractors. Nothing in this Agreement shall be construed to create any other relationship between Client and TrueCare24. Neither party shall have any right, power or authority to assume, create or incur any expense, liability or obligation, express or implied, on behalf of the other.
- Practitioner Services. The Services may be provided directly by TrueCare24 or through contracted health care practitioners (“Practitioners”) or other subcontractors. When applicable, TrueCare24 shall provide licensed Practitioners to render Services to Participants as permitted by law. Each Practitioner shall be under contract with TrueCare24, licensed in accordance with state law, and otherwise qualified to provide Services.
Non-Solicitation. Client agrees it shall not utilize TrueCare24’s confidential information, including list(s) of non-medical and health care practitioners made available to Client by TrueCare24 under the terms of this Agreement, to solicit and/or contract with any health care practitioner for any purpose including the establishment of its own network of house call services, telemedicine services or other health care items or services. This provision shall survive the termination of this Agreement.
- Health And Safety. The Client must maintain the health and safety for the Practitioners on their site.
- Intellectual Property. The parties agree, and shall at all times recognize, the validity of any and all intellectual property of the other party, including, but not limited to, trademarks, trade names, service marks, icons, RSS feeds and copyrighted materials (sometimes collectively referred to as “Intellectual Property”) of such other party and the ownership thereof by such other party and shall not at any time put in issue or contest, either directly or indirectly, the validity and/or ownership of such Intellectual Property. In addition, nothing in this Agreement shall give either party any interest in any Intellectual Property or in any design of the other party used in connection therewith. It is further understood and agreed that each party grants to the other party during the term of this Agreement, a terminable right, not coupled with an interest, to use any such Intellectual Property or designs in connection with the license herein granted; such use to be in the manner preapproved by such party and with the result of designating such party as the source of and origin of such services and/or products. Each party agrees to take whatever actions reasonably requested by the other party to protect and perfect such a party’s interest in the Intellectual Property. This provision shall survive the termination of this Agreement.
- Equipment. If selected on Exhibit A, TrueCare24 shall provide Client with associated devices, such as, laptops, tablets, thermal cameras, and/or temperature check kiosks, among other devices (the “Equipment”). The Equipment shall be used by the Client solely for the provision of the Services to Participants in compliance with applicable federal and state laws. Client shall take all reasonable steps to assure that the Equipment is used in a careful and proper manner and shall comply with and conform to all national, state, municipal, police and other laws, ordinances and regulations in any way relating to the possession, use, and operation of the Equipment. Client shall make no modifications, alterations, additions or improvements to the Equipment without the prior written consent of TrueCare24, in which event such modifications, alterations, additions or improvements shall belong and become the property of TrueCare24. The Equipment is and shall at all times be and remain the sole and exclusive property of TrueCare24, notwithstanding that the Equipment or any part thereof may now be, or hereafter become, in any manner affixed or attached to or imbedded in, or permanently resting upon, any real property or any building thereon, or attached in any manner to what is permanent as by means of cement, plaster, nails, bolts, screws, connection to utilities, or otherwise.
- Updates and Maintenance. TrueCare24 shall install and maintain all reasonably necessary software updates and improvements in and to the Application and Equipment, and other products used in connection with the provision of the Services in order to keep such systems in working order and condition consistent with the objectives set forth in this Agreement
- Grant of License. In consideration of the payment of the Fees, TrueCare24 grants to Client, and Client hereby accepts, pursuant to the terms and conditions set forth herein, a non-exclusive, nontransferable nonsublicenseable subscription in the United States to use the Application during the Term of this Agreement.
- Confidential Information. It is understood that during the course of this engagement each party will have access to and become familiar with certain information systems and other trade secrets and proprietary and confidential information of the other party (the “Confidential Information”) which includes, (a) the names of accounts, vendors, customers, Participants, and suppliers; (b) the methods, procedures and techniques utilized in identifying prospective referral sources, vendors and suppliers and in soliciting the business thereof; (c) the methods, procedures and techniques used in the conduct of a party’s operations; and (d) software programs, websites, Application, and other information systems. Confidential Information shall be used by the parties only in furtherance of providing Services to Client unless otherwise authorized in writing by the party whose Confidential Information will be used.
- Independent Medical Judgment. TrueCare24 shall not exercise any control or direction over the methods by which the Practitioners perform Services. Practitioners shall have complete authority, responsibility, supervision and control, in their sole discretion, over all diagnoses, treatments, procedures, and other health care services. TrueCare24 shall not engage in the practice of medicine in any way.
- Compliance with Laws. Client and TrueCare24 shall use reasonable efforts to assure that each party complies with the requirements of any statute, ordinance, law, rule, regulation or order of any governmental or regulatory body having jurisdiction respecting the provision of the Services, Application or Software and Equipment described herein.
- Data. Client hereby grants to TrueCare24 a perpetual, worldwide, non-fee-bearing, non-exclusive, irrevocable license to use in accordance with applicable law Client or Participant data created, stored or input into the Application (and any de-identified data derived therefrom), including but not limited to such purposes as quality improvement measures, benchmarking, research, utilization tracking, with the right to grant sublicenses, to use, disclose, sell or otherwise convey the de-identified data to any third party.
- HIPAA. The parties agree to comply with any applicable federal, state or local privacy or patient confidentiality laws. The parties agree that initially the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations will not apply to the Services offered to Participants. In the event either party reasonably determines that HIPAA applies to the relationship contemplated herein, the parties shall enter into the Business Associate Agreement attached as Exhibit B and promptly determine if any additional privacy or confidentiality protections are necessary.
- Fees and Expenses. Client shall pay TrueCare24 the amounts indicated on Exhibit A plus applicable sales tax and expenses (collectively referred to herein as the “Fees”). Fees shall be paid by Client within fifteen (15) days of receipt of invoice from TrueCare24. Any amount not paid when due will bear interest at a rate of 1.5% per month on a compounded basis (or, if lower, the maximum rate permitted by applicable law) until such amount is paid. Any laboratory services performed by a third-party laboratory will be billed directly to Client or a patient’s third party payor, as applicable. Client shall utilize the TrueCare24 platform to facilitate electronic payment of the Fees.
- The parties shall agree in advance to any changes in the Fees set under this Agreement. In the event TrueCare24 agrees to apply a credit or reduce the Fees for any reason, TrueCare24 shall apply such credit or reduction against the total amount.
- Term. This Agreement will become effective on the Effective Date and continue for three (3) months with automatic renewals for successive three (3) month periods unless either party provides the other party written notice of early termination or non-renewal at least fourteen (14) days prior to the termination or expiration date.
- Termination. Either party may terminate this Agreement without cause by giving fourteen (14) days written notice to the other party. This Agreement may be terminated with cause upon the non-breaching party giving written notice of any alleged breach of the terms of this Agreement demanding remedy within ten (10) days. If the breach is not remedied to the satisfaction of the non-breaching party within ten (10) days, this Agreement can be terminated immediately by written notice to the breaching party. Upon receipt by either party of a final order of any governmental agency or court of competent jurisdiction concerning the business, affairs or practices of either of the parties which requires such termination, this Agreement shall terminate.
- Survival. Either the termination or expiration of this Agreement shall relieve either party from any obligation previously accrued and/or remains to be performed upon the date of termination. The parties also agree that their respective rights, obligations and duties under Article IV and Article VI of this Agreement shall survive any termination or expiration of this Agreement. TrueCare24 shall be entitled to receive payment of all amounts unpaid but earned up to the date of termination, which payment shall be due on the termination date. Notwithstanding anything to the contrary, any termination of this Agreement shall terminate the software license to use the Application and any other license granted hereunder.
- Assignment. This Agreement may not be assigned by either party without the prior written consent of the other party; provided, however, that Client may assign this Agreement to any entity or person that owns, is owned by or is under common ownership with Client upon at least ten (10) days prior written notice to TrueCare24, or to a purchaser of all or a substantial portion of Client’s assets.
- Insurance Provided by Client. Client shall maintain at its sole cost and expense throughout the term of this Agreement liability coverage on itself and all its Participants with commercially reasonable limits. Client shall provide to TrueCare24 upon request a certificate of insurance evidencing such coverage.
- Insurance Provided by TrueCare24. TrueCare24 shall maintain, or insure coverage throughout the term of this Agreement, professional liability insurance coverage (i) on itself in the minimum amount of One Million Dollars ($1,000,000) for each occurrence and Three Million Dollars ($3,000,000) in the aggregate, and (ii) on all of its Practitioners as independent contractors, in the minimum amount of One Million Dollars ($1,000,000) for each occurrence and Three Million Dollars ($3,000,000) in the aggregate. Such policies shall provide for at least thirty (30) days’ advance written notice to Client of any alteration of coverage, cancellation or other termination. TrueCare24 shall provide to Client upon request a certificate of insurance evidencing such coverage. Client shall be named an additional insured on the foregoing policies.
- Warranties. Client acknowledges that TrueCare24 is not the manufacturer or the original owner of the Equipment or a dealer therein; the Equipment is of a design, size, capacity, description and manufacturer selected by Client; and that Client is satisfied that the Equipment is suitable and fit for its purposes. TRUECARE24 MAKES NO EXPRESS OR IMPLIED REPRESENTATION OR WARRANTY TO Client OR TO ANY OTHER PERSON AS TO THE CONDITION OF THE EQUIPMENT, ITS MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE, OR AS TO ANY PATENT OR LATENT DEFECTS IN ITS MATERIAL, WORKMANSHIP OR OTHERWISE, IT BEING THE EXPRESS UNDERSTANDING AND AGREEMENT OF GROUP THAT ANY AND ALL EXPRESS IMPLIED WARRANTIES ARE WAIVED.
- Limitations of Liability. Under no circumstance will either party be liable under any contract, strict liability, negligence or other legal or equitable theory, for any indirect, special, incidental or consequential damages or lost profits or loss of goodwill or reputation in connection with the subject matter of this Agreement. TrueCare24’s aggregate liability under any legal theory, including tort claims, shall not exceed the fees paid and to be paid by Client pursuant to this Agreement within the twelve (12) month period prior to such event occurring that gives rise to such liability. Except as expressly set forth herein, the products and services provided hereunder are provided on an “as is” and “as available” basis. TrueCare24 does not warrant that the services or products will (i) be uninterrupted, error-free (or that all errors will be corrected), or completely secure, (ii) provide accurate results, or (iii) meet customer’s expectations. Client acknowledges that TrueCare24 has set its prices and entered into this Agreement in reliance upon the limitations of liability and the disclaimers of warranties and damages set forth herein and that the same form an essential basis of the bargain between the parties. The parties agree that the limitations and exclusions of liability and disclaimers specified in this Agreement will survive and apply even if found to have failed of their essential purpose.
- Indemnification. Each party agrees to accept and is responsible for its own acts and omissions in providing services pursuant to this Agreement as well as those acts or omissions of its Participants, contractors, officers and directors and nothing in this Agreement shall be construed to place any responsibility for such acts or omissions onto the other party.
- Changes in Regulatory Landscape. Client and TrueCare24 understand that the federal, state and local laws and regulations applicable to this Agreement may be amended from time to time and agree to execute any amendments to this Agreement necessary to maintain compliance with those laws and regulations.
- Notices. Any notice or other communication under this Agreement shall be in writing and shall be delivered in person or sent by pre-paid certified or registered mail, receipted overnight messenger service receipted hand delivery, or by email or facsimile (with electronic confirmation), as follows:
If to TrueCare24:
951 Mariners Island Blvd, Suite 300,
San Mateo, CA, 94404
Each such notice or other communication shall be considered to have been given when received if delivered in person, three (3) days after being mailed if sent by certified or registered mail, one (1) day after being given to the overnight messenger service if sent by that means, or on the date of transmission if sent by email or facsimile. Any party may change its address for purposes of this Agreement by notice in accordance with this Section 7.6.
- Taxes. Client shall, in addition to the other amounts payable under this Agreement, pay all sales, use, excise, value added or other taxes or levies, whether federal, state or local, however named, arising out of the transactions contemplated by this Agreement, except that Client shall not be liable for taxes based on TrueCare24’s income.
- Entire Agreement; Modification and Change. This Agreement contains the entire agreement between the parties to this Agreement and supersedes any and all prior agreements, arrangements, or understandings between the parties relating to the subject matter of this Agreement. This Agreement, and any provision or time period specified in this Agreement, cannot be changed or modified except by another agreement in writing executed by both parties.
- Warranties. The parties warrant that each has the legal capacity to enter into this Agreement, that the execution has been duly approved, and that their respective obligations do not violate any statute, ordinance, ruling of any administrative body, or any agreement to which either TrueCare24 or Client is a party.
- Severability. If any provision of this Agreement or its application to any person or circumstance shall be invalid or unenforceable to any extent, the remainder of this Agreement and application of its provisions to other persons or circumstances shall not be affected and shall be enforced to the extent permitted by law.
- Governing Law. This Agreement shall be governed by and construed under the laws of the United States and the State of Delaware.
- Dispute Resolution. In the event that a dispute arises between the parties under this Agreement, the parties will first negotiate in good faith to try and resolve the dispute. If the dispute cannot be settled through negotiation within thirty (30) days, such dispute shall be settled through binding arbitration to be conducted by a single arbitrator in San Francisco, California, in accordance with the Commercial Arbitration Rules of the American Arbitration Association (“Rules”). If the parties fail to agree on an arbitrator within thirty (30) days, the office of the American Arbitration Association in San Francisco, California shall make the necessary appointment of such arbitrator. Notwithstanding the foregoing, either party may, without waiving any remedy under this Agreement, seek from any court having jurisdiction any interim or provisional relief that is necessary to protect the rights or property of that party from irreparable damage or harm, pending the determination of the arbitrator. The arbitration shall result in settlement of the dispute within sixty (60) days of the appointment of the arbitrator, and the arbitrator shall agree to comply with this schedule before accepting appointment. However, this time limit may be extended by written agreement of the parties, if necessary. The decision or award of the arbitrator shall be final, and judgment upon such decision or award may be entered in any competent court or application may be made to any competent court for judicial acceptance of such decision or award and an order of enforcement. In the event of any procedural matter not covered by the Rules, the procedural law of the State of California shall govern. The arbitrator shall have no authority to award punitive or other damages not measured by the prevailing party’s actual damages, except as may be required by statute. In addition to any other awards, the arbitrator shall award to the prevailing party, if any, as determined by the arbitrator, all of the prevailing party’s costs and fees. “Costs and fees” shall include all reasonable pre-award expenses of the arbitration, including the arbitrator’s fees, administrative fees, the cost of posting a bond (if posted by the prevailing party), travel expenses, out-of-pocket expenses such as copying and telephone, court costs, witness fees and reasonable attorneys’ fees.
- Counterparts. This Agreement may be executed simultaneously in two (2) or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
COVID Testing Terms
- The Vaccination Verification/Documentation platform includes functionality shown in the demo. Additional features or updates outside of the functionality shown in the demo will be estimated (based upon a $225/hour rate, 2 hour minimum) and a quote will be provided to client.
- Project initiation and execution to occur 5 business days after the signed agreement and deposit date. A 50% expedite fee will be billed per day if execution is needed sooner. Expedite fee is based upon the actual amount due for that day’s event
- Billing is based upon the minimum number or actuals, whichever is higher; it may exceed contract value with additional authorization.
- Minimum 2-hour shift and a minimum of 40 kits administered for a 2 hour minimum. A minimum of 20 kits per hour beyond the 2 hours.
- Any additional hours beyond the above or not adhering to the above will be billed at administrator fee of $299 per hour. If less than 20 tests per hour, the applicable administration fee will apply.
- Service deposit is due before the start of service. The deposit will be used for the last event week(s) of billing.
- All unused kits with a maximum of 5% must be returned within 1 week of last testing event or a service fee of $129 per kit is charged.
- Minimum disruption to shift schedules with an expected wait time per person. Any additional rescheduling within 48 hours, will be charged a $500 fee.
- 4% for Credit Card Fee
- Pricing does not include any applicable sales and other taxes or shipping & handling.
HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”) is entered into by and between (“Covered Entity”) and TrueCare24, Inc., a Delaware corporation (“Business Associate”) as of the 1st day of April, (the “Effective Date”).
- Client is a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191) and its implementing regulations (collectively, “HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical (“HITECH”) Health Act (Division A, Title XIII and Division B, Title IV of Pub. L. No. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and TrueCare24, Inc. is a “Business Associate” as defined under HIPAA; and
- In connection with the COVID-19 Services Agreement between Covered Entity and Business Associate for Business Associate to provide certain services for and on behalf of Covered Entity (the “Agreement”), Covered Entity may provide Business Associate with Protected Health Information (“PHI”) (defined below); and
- Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to this BAA, which is drafted to satisfy specific components of HIPAA and relevant implementing regulations, including the Privacy Rule (defined below), the Security Rule (defined below) and the Breach Notification Rule (defined below).
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, the parties agree as follows:
- “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
- “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
- “Designated Record Set” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.501.
- “Electronic Protected Health Information” or (“EPHI“) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
- “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
- Other terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
- PRIVACY RULE PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE
- Permitted Uses and Disclosures of PHI. Except as provided in Paragraphs (b), (c), and (d), below, Business Associate may only use or disclose PHI to perform functions, activities or services for, or on behalf of Covered Entity, as specified in the Agreement.
- Use for Management and Administration. Except as otherwise limited in this BAA, Business Associate may, consistent with 45 C.F.R. 164.504(e)(4), use PHI if necessary (i) for the proper management and administration of Business Associate, or (ii) to carry out the legal responsibilities of Business Associate.
- Disclosure for Management and Administration. Except as otherwise limited in this BAA, Business Associate may, consistent with 45 C.F.R. 164.504(e)(4), disclose PHI for the proper management and administration of Business Associate, provided (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed (“Person”) that it will be held confidentially and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the Person, and that the Person agrees to immediately notify Business Associate in writing of any instances of which it becomes aware in which the confidentiality of the information has been breached or is suspected to have been breached.
- Reporting Violations. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- PRIVACY RULE OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
- Limitations on Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Agreement, or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Agreement, and this BAA.
- Appropriate Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Agreement and this BAA or as Required by Law.
- Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of HIPAA, the Agreement, or this BAA.
- Reporting of Improper Use or Disclosure. Business Associate shall report to Covered Entity in writing any use or disclosure of PHI not provided for by the BAA promptly after becoming aware of such use or disclosure.
- Business Associate’s Subcontractors. Business Associate shall ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI.
- Obligations on Behalf of Covered Entity. To the extent Business Associate carries out an obligation for which Covered Entity is responsible under the Privacy Rule, Business Associate must comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
- Access to PHI. Business Associate shall provide access, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual or a third party designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
- Amendment of PHI. Business Associate shall make any PHI contained in a Designated Record Set available to Covered Entity (or an Individual as directed by Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity. If an Individual requests an amendment of PHI directly from Business Associate or its Subcontractors, Business Associate shall notify Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by Business Associate or its Subcontractors shall be the responsibility of Covered Entity.
- Accounting of Disclosures. Business Associate shall provide to Covered Entity information collected in accordance with Section 3(j) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to Business Associate or its Subcontractors, Business Associate shall provide a copy of such request to Covered Entity, in writing, promptly after Business Associate’s receipt of such request.
- Documentation of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
- Retention of PHI. Notwithstanding Section 6(c) of this BAA, Business Associate and its Subcontractors shall retain all PHI throughout the term of the Agreement and shall continue to maintain the information required under Section 3(j) this BAA for a period of six (6) years after termination of the Agreement.
- Governmental Access to Records. Business Associate shall make its internal practices, books and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary and Covered Entity for purposes of determining Covered Entity’s compliance with the Privacy Rule as applicable.
- Minimum Necessary. Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
- Data Aggregation. Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- De-Identification. Business Associate may de-identify PHI received from Covered Entity, consistent with the Privacy Rule’s standards for de-identification. 45 C.F.R. § 164.514.
- SECURITY RULE OBLIGATIONS OF BUSINESS ASSOCIATE
- Compliance with the Security Rule. Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as permitted by the Agreement and this BAA or as Required by Law.
- Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI. .
- Security Incident. Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.
- BREACH NOTIFICATION RULE OBLIGATIONS OF BUSINESS ASSOCIATE
- Notification Requirement. To the extent Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following the discovery of a Breach of such information, notify the Covered Entity of such Breach without unreasonable delay.
- Contents of Notification. Any notice referenced above in Section 5(a) of this BAA will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.
- TERM AND TERMINATION
- Term. The term of this BAA shall commence as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the provisions of this Section 6.
- Termination for Cause. Upon Covered Entity’s knowledge of a material breach of the terms of this BAA by Business Associate, Covered Entity shall:
- Provide an opportunity for Business Associate to cure, and, if Business Associate does not cure the breach within forty-five (45) days, Covered Entity may immediately terminate this BAA and the Agreement;
- Immediately terminate this BAA and the Agreement if Covered Entity has determined that (a) Business Associate has breached a material term of this BAA, and (b) cure is not possible;
- Immediately terminate this BAA if the Agreement has been terminated; or
- Effect of Termination.
- Except as provided in paragraph (ii) of this Section 6(c), upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, and shall retain no copies of the PHI except as required by the Agreement. This provision shall apply to PHI that is in the possession of Subcontractors of Business Associate.
- In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- COVERED ENTITY OBLIGATIONS
- To the extent that Covered Entity has agreed to further limitations on uses and disclosures of PHI, Covered Entity shall notify Business Associate of such additional restrictions, including any limitation(s) in Covered Entity’s notice of privacy practices that are produced in accordance with 45 C.F.R. § 164.520 (as well as any changes to that notice), to the extent that such limitation(s) may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall promptly provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall promptly notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall provide Business Associate only the Minimum Necessary amount of data for Business Associate to accomplish the intended purpose of the disclosure.
- Regulatory References. A reference in this BAA to a section in the Privacy, Security, or Breach Notification Rule means the section as in effect or as amended, and for which compliance is required.
- Survival. The respective rights and obligations of Business Associate under Section 6(c) of this BAA shall survive the termination of the BAA.
- No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
- Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy, Security or Breach Notification Rule as well as HIPAA and HITECH.
- Effect on Agreement. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Agreement shall remain in force and effect.
- Interpretation. The provisions of this BAA shall prevail over any provisions in the Agreement that may conflict or appear inconsistent with any provision in this BAA. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the Privacy, Security, and Breach Notification Rules, as well as HIPAA and HITECH.
- Entire Agreement. This BAA constitutes the entire agreement of the parties with respect to the subject matter hereof, and all prior and contemporaneous understandings, agreements and representations, whether oral or written, with respect to such matters are superseded.
- Counterparts. This BAA may be executed in multiple counterparts, each of which shall be deemed an original but all of which together shall constitute one and the same instrument. Facsimile or electronic (PDF) signatures shall be treated as original signatures. This BAA shall be binding when one or more counterparts hereof, individually or taken together, shall bear the signatures of all of the parties reflected on this BAA as the signatories thereto.