Legal Stuff
CUSTOMER TERMS OF SERVICE
OUR CUSTOMER TERMS OF SERVICE
The following terms and conditions (“Terms of Service”) govern the purchase, access, and use of the Hypermedica Starter and/or Premium subscription service (the “Service”). By purchasing, accessing, or using the Service, you are entering into a legally binding agreement with Mdustry, LLC. (“Hypermedica”) on behalf of the legal entity with whom you are employed, affiliated, or otherwise associated (the “Customer”) that you identify as the “Company / Organization” on the online Service order screen. By purchasing the Service you represent that you are acting on Customer’s behalf and that you have the authority to legally bind the Customer to these Terms of Service. If you are purchasing the Service for yourself in your capacity, then enter your name in the “Company / Organization” field. If you do not have the authority to act on behalf of Customer or do not agree with these Terms of Service, then you may not purchase, access, or use the Service.
- DEFINITIONS
- ACCESS AND USE OF THE SERVICE; RESTRICTIONS
- Right to Access and Use.
- Restrictions.
- IMPLEMENTATION; ENABLEMENT
- SUPPORT AND MAINTENANCE
- FEES; PAYMENT TERMS; TAXES
- CUSTOMER OBLIGATIONS
- TERM AND TERMINATION
- SUSPENSION
- OWNERSHIP OF THE SERVICE; RESERVATION OF RIGHTS
- DATA
- CONFIDENTIALITY & NON-DISCLOSURE
- Non-Disclosure Obligations.
- Permitted Disclosures.
- WARRANTY AND DISCLAIMERS
- Warranty.
- Exclusive Remedy.
- Disclaimer.
- INDEMNIFICATION
- LIMITATIONS OF LIABILITY
- Exclusion of Damages.
- Limitation of Liability.
- Liability Disclaimer.
- TRADEMARKS
- GOVERNING LAW; VENUE
- MODIFICATIONS TO THE TERMS OF SERVICE
- EXHIBITS
- MISCELLANEOUS
“Authorized User” is defined in Section 2.2.
“Consultation” or “visit” means any single, synchronous, online consultation lasting longer than 20 seconds between two or more Authorized Users using the Service.
“Customer Data” is defined in Section 10.
“Documentation” means the Product Description Document, attached hereto as Exhibit B, as may be amended from time to time.
“Guest” means an individual authorized by a Patient to participate in the Patient’s Consultation.
“Patient” means a patient of a Provider who accesses or uses the Service.
“Provider” means any healthcare clinician or provider in Customer’s practice who provides healthcare and/or related services via the Service.
“Term” is defined in Section 7.
“Territory” means the United States.
“Practice User” means (i) a Provider or (ii) an employee, agent, or contractor of Customer having permission-based access to manage the Service, including viewing and managing user accounts, scheduling Consultations, managing configurations, and accessing reports.
Subject to these Terms of Service and Customer’s payment of the monthly subscription fee, during the Term Hypermedica, will make the Service available to Customer on a limited, non-exclusive, non-transferrable, non-sublicensable basis to allow up to the number of Practice Users licensed by Customer to schedule, manage, and conduct Consultations within the Territory.
Customer shall not, and shall ensure that Practice Users do not (i) sell, lease, provide service bureau or timeshare services, share Practice User accounts, distribute or otherwise make the Service available to third parties other than an individual who is a Practice User, a Patient, or a Guest (collectively, “Authorized Users”); (ii) copy, reverse engineer, decompile, disassemble, re-engineer, or otherwise create or attempt to create or permit, allow, or assist others to create the source code of the Service, or its structural framework; (iii) modify or create derivative works of the Service or use the Service in whole or in part for any purpose except as expressly provided herein; (iv) access or use the Service in any manner that could disable, damage, or impair the Service or any component thereof; (v) violate or attempt to violate the security of the Service; access or attempt to access servers, data, or accounts which Customer is not authorized to use; attempt to probe, scan or test the vulnerability of the Service, related systems or networks, or to breach the security or authentication measures of the Service; (vi) use the Service for any critical care situations; or (vii) access or use the Service or any portion thereof without authorization, in violation of these Terms of Service, or in any way that violates any federal, state or local law or regulation or professional rule applicable to Customer or Practice Users including, without limitation, those relating to patient privacy, medical care and treatment including the Health Insurance Portability and Accountability Act (HIPAA), physician self-referrals (the Stark law), or text messaging (the Telephone Consumer Protection Act).
Hypermedica shall set up the Service within three business days of receipt of (i) Customer’s successful payment transaction; and (ii) Customer’s submission of an accurate, completed registration application. Access to Hypermedica’s online training tools will be provided to Customer as well as standard communication materials in electronic format for Patient Engagement.
During the Term, Hypermedica shall provide hosting, support, and maintenance services.
Customer shall pay Hypermedica the monthly Service fees including all taxes, governmental charges, and surcharges due or assessed concerning amounts payable by Customer hereunder (other than Hypermedica’s income taxes). Customer may access the Service for thirty (30) days starting on the Effective Date at no charge (the “Trial Period”). The Trial Period may not be extended for any reason by Hypermedica. The monthly subscription fee will be invoiced and payable immediately following the Trial Period and on the same day each month thereafter during the Term. Hypermedica reserves the right to update the monthly subscription fee at any time upon providing notice of the same to Customer and such update will take effect upon the next monthly billing cycle. Any addition or removal of Practice User(s) occurring during a given month will be charged or credited, as the case may be, on a pro-rated basis from the day such change was made. The fees will be charged to the credit card associated with Customer’s account. If a payment fails, and Customer does not correct the failed payment within 10 calendar days, the Service will terminate. Customer represents and warrants that (i) any credit card, debit card and bank account information supplied by Customer or on Customer’s behalf is true, correct and complete, (ii) charges incurred by Customer will be honored by its credit/debit card company or bank, (iii) Customer will pay the charges incurred in the amounts posted, including any applicable taxes, and (iv) Customer is authorized to make purchases or other transactions with the relevant credit/debit card and credit/debit card information. Payment processing services for the Service are provided by Stripe and are subject to the Stripe Connected Account Agreement located at https://stripe.com/connectaccount/legal, which includes the Stripe Terms of Service located at https://stripe.com/legal (collectively, the “Stripe Services Agreement”). By agreeing to these Terms of Service or using the Service, Customer agrees to be bound by the Stripe Services Agreement, as it may be modified from time to time. As a condition of Hypermedica enabling payment processing services through Stripe, Customer agrees to provide Hypermedica accurate and complete information about Customer and its business, and Customer authorizes Hypermedica to share it and transaction information related to Customer’s use of the payment processing services with Stripe. If a credit card account is being used for a transaction, Hypermedica or Stripe may obtain pre-approval for an amount up to the amount of the payment.
Customer will ensure that all Providers (a) are duly licensed to provide healthcare and related services where they are practicing and are otherwise properly credentialed, (b) are at all times employed or contracted by, or otherwise affiliated with, Customer and have agreed to comply with these Terms of Service and the Service Terms of Service, and (c) carry professional liability insurance in at least the minimum amount required by law. Subject to Hypermedica’s obligations as a Business Associate (as defined in HIPAA), Customer is responsible for compliance with all applicable laws and regulations concerning or related to the practice of medicine or the provision of Customer Data (as defined below) to Hypermedica hereunder and for Practice Users’ compliance with the same. Customer is solely responsible for all billings and collections from Patients, and Hypermedica shall have no liability whatsoever to Customer concerning any amounts owed by any Patient or other consumer of Customer. Customer is responsible for the confidentiality of the user IDs and passwords associated with Customer’s account and shall not share or disclose user IDs or passwords to any non-Practice User third-party. Customer is fully responsible for all activities under Practice Users’ accounts.
The Service will commence on the date Customer orders the Service (the “Effective Date”) and will continue until terminated under these Terms of Service (the “Term”). Hypermedica may terminate the Service at any time by providing Customer with notice of its intent to do the same. Customer may terminate the Service at any time by logging into Customer’s account. There are no refunds for partial months used. Upon termination of the Service: (i) Hypermedica will cease providing Customer the Service and Customer’s and Authorized Users’ access to the Service shall terminate; (ii) Customer will return to Hypermedica, and/or certify to the destruction of, all copies of the Documentation and any other Hypermedica confidential information in Customer’s possession; and (iii) Customer will immediately pay all amounts owed. Sections 2, 5, 6, 7, 9 through 11, 12.3, 13, 14, 16, and 19 survive termination of the Service.
Upon Hypermedica’s reasonable belief that improper activity may be associated with Customer’s or an Authorized User’s use of the Service, Hypermedica may, without incurring any liability, temporarily suspend the Service in whole or in part to investigate any improper activity.
Hypermedica will always solely and exclusively own all rights, titles, and interests in and to the Service, the Documentation, the Hosting Operations Guide, and all intellectual property or other rights in the foregoing, including but not limited to all modifications and derivative works. Hypermedica reserves all rights not expressly granted in these Terms of Service and nothing herein shall be construed to (i) directly or indirectly grant any title to or ownership of Hypermedica’s intellectual property rights in services or materials furnished by Hypermedica, or (ii) preclude Hypermedica from developing, marketing, using, licensing, modifying or otherwise freely exploiting services or materials that are similar to or related to the Services or materials provided pursuant hereto. No implied licenses are granted.
As between Hypermedica and Customer, Customer retains all rights, titles, and ownership in the data and information inputted into the Service by Customer and any Authorized User (“Customer Data”). Hypermedica may keep one copy of Customer Data after the termination of the Service for purposes of resolving disputes and for internal business purposes related to delivery, support, and testing of the Service.
“Confidential Information” means any technical or business information furnished by one party to the other in connection with the proposed business relationship, regardless of whether such information is specifically designated as confidential and regardless of whether such information is in written, oral, electronic, or another form. Such Confidential Information may include, without limitation, trade secrets, know-how, inventions, technical data, or specifications, testing methods, business or financial information, research and development activities, product and marketing plans, and customer and supplier information. Each party agrees that any Confidential Information it receives from the other is the exclusive proprietary property of the disclosing party or its licensors and may include highly confidential information. Each party (the “Receiving Party”) receiving confidential information from the party disclosing confidential information (the “Disclosing Party”) agrees that it shall: (i) maintain all Confidential Information in strict confidence, except that the Receiving Party may disclose or permit the disclosure of any Confidential Information to its directors, officers, employees, consultants, and advisors who are obligated to maintain the confidential nature of such Confidential Information and who need to know such Confidential Information for the purposes outlined in these Terms of Service; (ii) use all Confidential Information solely for the purposes outlined in these Terms of Service; and; (iii) allow its directors, officers, employees, consultants, and advisors to reproduce the Confidential Information only to the extent necessary to effect the purposes outlined in these Terms of Service, with all such reproductions being considered Confidential Information. The above provisions shall not apply to information that (a) was in the public domain at the time of disclosure, (b) entered the public domain after the time of its disclosure under these Terms of Service through means other than an unauthorized disclosure resulting from an act or omission by the Receiving Party; (c) was independently developed or discovered by the Receiving Party without the use of the Confidential Information; or (d) is or was disclosed to the Receiving Party at any time, whether before or after the time of its disclosure under these Terms of Service, by a third-party having no fiduciary relationship with the Disclosing Party and having no obligation of confidentiality concerning such Confidential Information. The nondisclosure obligations of the Receiving Party shall be waived in any instance where Confidential Information is required to be disclosed to comply with applicable laws or regulations, or with a court or administrative order, provided that the Disclosing Party receives prior written notice of such disclosure and that the Receiving Party takes all reasonable and lawful actions to obtain confidential treatment for such disclosure and, if possible, to minimize the extent of such disclosure. The Receiving Party acknowledges that the Disclosing Party (or any third-party entrusting its confidential information to the Disclosing Party) claims ownership of the Confidential Information disclosed by the Disclosing Party and all patent, copyright, trademark, trade secret, and other intellectual property rights in, or arising from, such Confidential Information. No option, license, or conveyance of such rights to the Receiving Party is granted or implied under these Terms of Service. If any such rights are to be granted to the Receiving Party, such grant shall be expressly outlined in a separate written instrument. The Receiving Party acknowledges that the Disclosing Party makes no representations and gives no warranties of any kind regarding the Confidential Information disclosed to Receiving Party and shall have no liability concerning any such Confidential Information under these Terms of Service. The Receiving Party agrees that any breach of its obligations under these Terms of Service will cause irreparable harm to the Disclosing Party; therefore, the Disclosing Party shall have, in addition to any remedies available at law, the right to obtain equitable relief to enforce these Terms of Service. Permitted Disclosures. Customer authorizes Hypermedica to disclose
Notwithstanding Section 11, Customer authorizes Hypermedica to disclose the following Provider information to Patients that are scheduled for a Consultation with such Provider: Provider first and last name, title, credential type, NPI number, specialty, email address, location. If Customer uses a partner referral code or a referral partner’s dedicated page when signing up for the Service, Hypermedica may disclose Customer’s name to such referral partner.
During the Term, Hypermedica warrants to Customer that (i) the Service will perform substantially following the Documentation, and (ii) Hypermedica will perform all services under these Terms of Service in a professional and workmanlike manner and following generally accepted industry standards (collectively, the “Warranty”).
Customer will report any non-conformity with the Warranty to Hypermedica following the Hosting Operations Guide within ten (10) days after the date on which such failure first occurs. If Hypermedica fails to remedy a non-conformity within ninety (90) days of such notice, then Hypermedica’s entire liability and Customer’s sole and exclusive remedy for such failure shall be for Customer to terminate the Service and receive a pro-rata refund of any fees paid after Customer’s notice regarding the failure of the Warranty.
HYPERMEDICA DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT IN RESPECT OF THE SERVICE. EXCEPT AS PROVIDED IN SECTION 12.1, HYPERMEDICA PROVIDES THE SERVICE TO CUSTOMER “AS IS”, WITH NO OTHER WARRANTIES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES ARISING FROM THE COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF THE TRADE. HYPERMEDICA DOES NOT WARRANT THE SERVICE WILL BE ERROR-FREE OR PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION OR WITH CONTINUOUS ACCESS. Hypermedica will have no obligation to Customer under the Warranty, or otherwise, to the extent the failure of the Service to meet the Warranty can be attributable to causes that are not the responsibility of Hypermedica.
Customer shall defend, indemnify and hold harmless Hypermedica, its directors, officers, employees, and affiliates (collectively, “Hypermedica Entities”) against any claims and liabilities related to Customer’s or Practice User’s use of the Service or failure to comply with these Terms of Service, including without limitation for all (i) medical malpractice claims which may be brought by Patients, (ii) for any regulatory or other actions related to the unlicensed, unsupervised or otherwise unapproved practice of medicine by Providers, and (iii) any fraud, abuse or misrepresentation by Providers. Hypermedica shall notify Customer promptly in writing of any such claim and provide information and reasonable assistance necessary to defend such claim. Customer shall have sole control of the defense concerning any such claim (including settlement of such claim) if Customer shall not settle such claim without Hypermedica’s prior written consent. No consent shall be required if the settlement expressly and unconditionally releases Hypermedica Entities from all liabilities and obligations concerning such claim, without prejudice.
SUBJECT TO SECTION 14.4, IN NO EVENT, SHALL EITHER PARTY OR ITS SUPPLIERS OR LICENSORS BE LIABLE FOR LOST PROFITS OR REVENUES, REPUTATIONAL HARM, OR FOR ANY CONSEQUENTIAL, SPECIAL, INCIDENTAL, INDIRECT, OR PUNITIVE DAMAGES, INCLUDING THE COST OF SUBSTITUTE GOODS OR SERVICES, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE ARISING OUT OF OR IN CONNECTION WITH THE SERVICE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SUBJECT TO SECTION 14.4, EACH PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY FOR ANY CLAIMS ARISING HEREUNDER, REGARDLESS OF WHETHER IN CONTRACT TORT (INCLUDING NEGLIGENCE) OR OTHER CAUSE OF ACTION, SHALL NOT EXCEED THE AMOUNTS PAID BY CUSTOMER TO HYPERMEDICA FOR THE SERVICE IN THE 12MONTH PERIOD PRECEEDING THE DATE ON WHICH SUCH CLAIM AROSE.
CUSTOMER ACKNOWLEDGES AND AGREES THAT HYPERMEDICA IS NOT ENGAGED IN THE PRACTICE OF MEDICINE AND THAT HYPERMEDICA IS NOT DETERMINING THE APPROPRIATE MEDICAL USE OF THE SERVICE. ACCORDINGLY, ALL MEDICAL DIAGNOSTIC AND TREATMENT DECISIONS ARE THE RESPONSIBILITY OF CUSTOMER AND/OR PROVIDERS. HYPERMEDICA EXPRESSLY DISCLAIMS ANY AND ALL LIABILITY RESULTING FROM THE DELIVERY OF HEALTHCARE AND RELATED SERVICES VIA THE SERVICE, INCLUDING, BUT NOT LIMITED TO LIABILITY FOR MEDICAL MALPRACTICE.
Exceptions to Liability and Damages Limitations. Sections 14.1 and 14.2 will not apply to amounts owed in respect of a party’s indemnification obligations in Section 13 or for claims arising under Sections 2.3 (Restrictions) or 9 (Ownership of the Service; Reservation of Rights), or to amounts payable by Customer.
Customer hereby grants Hypermedica the right to display the logo or other trademark, tradename, or newly developed product name of Customer (each, a “Customer Mark”) in providing the Service. Hypermedica acknowledges the ownership of Customer in the Customer Marks and agrees that all use of the Customer Marks (i) shall be under quality control guidelines provided by Customer, and (ii) shall inure to the benefit, and be on behalf, of Customer or such Customer's client. Hypermedica acknowledges that its utilization of the Customer Marks shall not create in it, nor shall Hypermedica represent it has, any right, title, or interest in or to such Customer Marks other than the rights expressly granted herein.
These Terms of Service are governed by the laws of the United States Territory of Puerto Rico, excluding its conflict of law’s provisions. The parties irrevocably submit to the exclusive jurisdiction of the state and federal courts of the United States Territory of Puerto Rico, City of San Juan, for any disputes, actions, suits, or proceedings arising out of or relating to these Terms of Service. Customer acknowledges that its breach of Section 2.3 (Restrictions) could cause irreparable harm to Hypermedica and Hypermedica may seek relief by way of injunction or specific performance in any court of competent jurisdiction (notwithstanding the foregoing venue provision) without having to post a bond of security and without prejudice to its other available rights and remedies.
Hypermedica reserves the right to modify these Terms of Service at any time in its sole discretion upon written notice to Customer. Customer’s continued use of the Services will confirm Customer’s acceptance of such modifications. If Customer does not agree to the modified terms, Customer must stop using the Service.
Exhibit A (Business Associate Agreement) is hereby incorporated into these Terms of Service.
The failure of either party to exercise any right or remedy will not operate as further waiver of such right or remedy in the future or any other right or remedy. No waiver of any contractual breach will be deemed to imply or constitute a waiver of any other breach, whether of a similar nature or otherwise. Notices required or permitted under these Terms of Service will be in writing and will be sufficiently given if: (i) delivered personally, (ii) mailed by certified or registered mail return receipt requested, postage prepaid, (iii) sent by overnight guaranteed delivery service, and addressed to the party’s name, contact person, and address or to such other address or addressee as either party may from time to time designate by written notice; (iv) in the case of Customer, delivered electronically via the Service. Any such notice or other communication will be deemed to be given as of the date it is delivered to the recipient. If any one or more of the provisions of these Terms of Service are invalid or otherwise unenforceable, the enforceability of the remaining provisions will be unimpaired. If Hypermedica is unable to perform any of its obligations hereunder due to events beyond its reasonable control, Hypermedica’s obligations will be excused for the duration of those circumstances resulting from such events that prevent Hypermedica’s performance. These Terms of Service will be binding upon and inure to the benefit of the respective successors of each party. Customer may not assign or otherwise transfer any rights to the Service in whole or in part. Hypermedica may assign its rights and obligations hereunder without the consent of Customer to an affiliate or in conjunction with a corporate reorganization, merger, or sale of substantially all of its assets. Each party is an independent contractor, and nothing herein will be deemed to constitute the parties as partners, agents, or joint ventures. These Terms of Service constitute the entire agreement between the parties and supersede all previous and contemporaneous agreements, understandings, and arrangements, concerning the subject matter hereof. These Terms of Service are made and entered into for the sole protection and benefit of the parties hereto, and no other person or entity will be a direct or indirect beneficiary of or will have any direct or indirect cause of action or claim in connection with the Service.
EXHIBIT A
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (“BAA”) is made a part of the Terms of Service (the “Underlying Agreement”) by and between Customer (“Covered Entity”) and Mdustry, LLC. (“Business Associate”) (each a “Party” and collectively, the “Parties”).
WHEREAS, in connection with the Underlying Agreement, Business Associate may create, receive, maintain, or transmit on behalf of Covered Entity, or otherwise receive from Covered Entity, certain Protected Health Information (“PHI”); and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate under the Underlying Agreement in compliance with: (i) the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (collectively, “HIPAA”) and the privacy, security and breach notification regulations promulgated thereunder, as amended from time to time (collectively, the “HIPAA Regulations”), (ii) the Commonwealth of Massachusetts law related to security breaches at Massachusetts General Laws, Chapter 93H and 201 C.M.R. 17.00 (the “Massachusetts Confidentiality Law”), and (iii) other applicable laws; and
WHEREAS, the purpose of this BAA is to set forth the requirements necessary to satisfy certain standards and requirements of HIPAA and the HIPAA Regulations. NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties, intending to be legally bound, hereby agree as follows:
DEFINITIONS
Unless otherwise specified in this BAA, all capitalized terms used herein shall have the meanings ascribed to them in the HIPAA Regulations.
PURPOSE FOR WHICH BUSINESS ASSOCIATE MAY USE OR DISCLOSE PHI
The Parties hereby agree that except as otherwise limited in BAA, Business Associate shall be permitted to use or disclose PHI provided or made available from Covered Entity to perform any function, activity, or service for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the HIPAA Regulations if done by Covered Entity.
BUSINESS ASSOCIATE OBLIGATIONS
Business Associate covenants and agrees that it shall:
- Not use or further disclose PHI other than as permitted or required under BAA or as required by applicable law or regulation.
- Implement the administrative, physical, and technical safeguards outlined in 45 C.F.R § 164.302-318 and otherwise reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity and to use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted under BAA.
- Use appropriate safeguards to maintain the security of and prevent unauthorized access, use, and disclosure of Covered Entity’s PHI. Such safeguards will include a written information security program.
- Require any of its Subcontractors or other third parties with which Business Associate does business that is provided PHI or electronic PHI on behalf of Covered Entity, to agree, in writing, to adhere to the same restrictions and conditions on the use and disclosure of PHI that apply to Business Associate under BAA.
- To the extent Business Associate maintains PHI in a Designated Record Set, make available to Covered Entity upon written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (a) under an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526; and (c) that may be required to provide an accounting of disclosures under 45 C.F.R. § 164.528. In the event of a request by an individual directly to Business Associate for an accounting, Business Associate will provide such an accounting following regulations and standards adopted by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”). Business Associate shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate.
- Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Business Associate on behalf of Covered Entity, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Regulations. The Parties’ respective rights and obligations under this Section C (6) shall survive the termination of the Underlying Agreement.
- During the term of the Underlying Agreement, notify Covered Entity of any Breach of Unsecured PHI. Notice will include the identification of everyone whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during such Breach and other information necessary for Covered Entity to fulfill any Breach notification obligations.
- Disclose to its Subcontractors or other third parties, and request from Covered Entity, only the minimum PHI necessary, in Business Associate’s judgment, to perform or fulfill a specific function required or permitted by BAA.
- Business Associate shall not receive remuneration directly or indirectly in exchange for PHI. Without limiting the generality of the foregoing, this provision shall not prohibit payment by Covered Entity for services provided by Business Associate according to the Underlying Agreement.
- Business Associate shall not use or disclose PHI for fundraising or marketing purposes unless such use or disclosure is according to the Underlying Agreement or another written agreement that does not violate HIPAA.
PERMITTED USES AND DISCLOSURES
Business Associate agrees that it shall not use or disclose PHI in any manner, form, or in any means that is contrary to its obligations under the Underlying Agreement or BAA. Notwithstanding the foregoing, the Parties agree that according to federal law, Business Associate may:
- Use PHI in its possession for its proper management and administration and to fulfill any of its present or future legal responsibilities provided that such uses are permitted under state and federal confidentiality laws.
- Disclose PHI in its possession to third parties for its proper management and administration or to fulfill any of its present or future legal responsibilities provided that (i) the disclosures are required by law, as provided for in 45 C.F.R. § 164.501, or (ii) Business Associate has received from the third-party written assurances that the PHI will be held confidentially, that the PHI will only be used or further disclosed as required by law or for the purpose for which it was disclosed to the third-party, and that the third-party will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, as required under 45 C.F.R. § 164.504(e)(4).
- Use PHI in its possession to provide data aggregation services relating to the healthcare operations of the Covered Entity.
TERMINATION
Notwithstanding any other provision under the Underlying Agreement and according to federal law, Business Associate agrees that the Underlying Agreement may be terminated by Covered Entity should Covered Entity determine that Business Associate has violated a material term of BAA. Notwithstanding any other provision under the Underlying Agreement and according to federal law, Covered Entity agrees that the Underlying Agreement may be terminated by Business Associate should Business Associate determine that Covered Entity has violated a material term of BAA.
RETURN OR DESTRUCTION OF PHI
Upon termination, cancellation, or expiration of the Underlying Agreement, if feasible, Business Associate shall return to Covered Entity or destroy under standards promulgated by the Secretary, all PHI received from or created by, Business Associate on behalf of Covered Entity that is maintained by Business Associate in any form. Should the return or destruction of the PHI be determined by Business Associate, in its sole discretion, to be infeasible, the Parties agree that the terms of BAA shall extend to the PHI until otherwise indicated by Covered Entity, and any further use or disclosure of the PHI by Business Associate shall be limited to that purpose which renders the return or destruction of the PHI infeasible.
AMENDMENT TO COMPLY WITH LAW
The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of BAA may be required to ensure compliance with such developments. Specifically, the parties acknowledge and agree that January 25, 2013, U.S. Department of Health, and Human Services final rule entitled, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act” (the “HIPAA Omnibus Rule”) imposes new requirements on business associates concerning privacy, security, and Breach notification. The HIPAA Omnibus Rule provisions applicable to business associates are hereby incorporated by reference into BAA as if outlined in BAA in their entirety and will become effective upon their respective effective dates. Upon either Party’s request, the other Party agrees to promptly enter negotiations concerning the terms of any amendment to BAA as may be necessary to comply with applicable law.