1. Definitions.
a. Application Documentation means only the technical specifications, knowledge database information, training documents and/or related documentation that HEMSCap (GeniusPTNote) makes generally available to its customers or the users of the Services, and that describe the features, functions and operation of the Services.
b. Application IP means all technologies (including software) and all Intellectual Property Rights incorporated in or reading on (i) any Product and (ii) the Application Documentation, including any update or upgrade to the foregoing delivered during the Term.
c. Authorized User means, collectively, employees, or contractors of Customer accessing or using the Services, under rights granted to Customer pursuant to this Agreement.
d. Confidential Information See Section +++++++
e. Intellectual Property Rights means all intellectual property rights, howsoever arising and in whatever media, whether or not registered, including patents, copyrights, trademarks, service marks, trade names, design rights, database rights, and any applications for the protection or registration of such rights and all renewals, and extensions thereof throughout the world.
f. Customer means the entity that enters into this Agreement with HEMSCap (GeniusPTNote) to allow the Authorized Users access and use the Products.
g. Customer Data means Customer’s (or its patients’) data collected, used, processed, stored, or generated through or as the result of the use of the Services.
h. Customer Marks means the trademarks, service marks, and trade names of Customer.
i. Personally Identifiable Information means information that personally identifies a person or entity, including, without limitation, an individual’s social security number or other government-issued identification number, date of birth, address, or an individual’s name in combination with any other of the elements listed herein.
j. Product means the software applications made available by HEMSCap (GeniusPTNote)that may be separately ordered by Customer as part of the Services, and which (unless otherwise specified by HEMSCap (GeniusPTNote)) will be made available on a Software-as-a-Service (“SaaS”) basis.
k. Services means, collectively, the Products and any related remote or in-person training, and other professional services that may be delivered in conjunction with or in addition to a Product as those are further described in Exhibit B “Scope of Work”.
2. Product Access, Use, and maintenance.
a. Access. HEMSCap (GeniusPTNote) shall provide to Customer the Services. Certain product subscriptions include the right to certain upgrades, releases, and updates (major and minor) in line with HEMSCap (GeniusPTNote)’s policies, and all of the foregoing are delivered subject to the terms and conditions of the Agreement. HEMSCap (GeniusPTNote), from time to time, may modify, upgrade or otherwise change the manner in which the Services are provided (including but not limited to, Product features, or operating environment), so long as such Services are substantially comparable or superior to the prior Services). HEMSCap (GeniusPTNote) shall provide Customer the necessary passwords and usernames for Authorized Users, subject to this Article 2.
b. Permitted Use. Subject to the terms and conditions of this Agreement (including, e.g., payment of fees and the usage restrictions below), HEMSCap (GeniusPTNote) hereby grants Customer a non-exclusive, non-transferable, non-sub-licensable right to access the features and functions of the Services during the Term. The foregoing license is granted solely for use by Authorized Users in accordance with the terms and conditions herein and in the applicable exhibit(s); and solely for use in the operation of Customer’s business.
c. Restrictions on Use.
d. Protection; Retained Rights; Ownership. Customer acknowledges that HEMSCap (GeniusPTNote) own all Intellectual Property Rights in and to the Services (including all components thereof) and all work product, developments, inventions, technology or materials provided under this Agreement. HEMSCap (GeniusPTNote) reserves all rights not expressly granted to Customer in this Agreement.
e. Authorized Users. Customer and its Authorized Users shall keep their respective login IDs, passwords and other account details (collectively, “User Credentials”) confidential, and shall not share them with anyone else. Customer shall promptly notify HEMSCap (GeniusPTNote) if it, or any of its Authorized Users, learns of or believes that any loss, theft, or unauthorized use of User Credentials, or any breach of the security of the Products. HEMSCap (GeniusPTNote) cannot and will not be liable for any loss or damage arising from any unauthorized access or use of User Credentials.
f. Application Documentation.
g. Unlawful or Unacceptable Use.
h. Unauthorized Access.
i. Connectivity. Customer is solely responsible for all telecommunication or Internet connections required to access the Products, as well as all hardware and software at its facilities needed to access the Products.
j. Compliance with Laws and Export. In connection with Customer’s access to and use of the Products, Customer is responsible for complying with all applicable laws, regulations and policies of all relevant jurisdictions. Without limiting the foregoing, Customer agrees that it will not use the Products for any unlawful purpose, and Customer will not export, directly or indirectly, the Products to any country for which the United States requires any export license or other governmental approval without first obtaining such license or approval.
k. Other Activities.
l. Suspension.
3. Product Access, Use, and maintenance.
a. Data. Customer (on its own behalf and on behalf of its Authorized Users) grants HEMSCap (GeniusPTNote) the right to use the Customer Data as necessary to perform its obligations under this Agreement. Customer and its Authorized Users shall ensure they have obtained all rights, consents and authorizations necessary to license the Customer Data to HEMSCap (GeniusPTNote) as set forth herein.
b. Feedback and Customer Marks.
4. Data Matters
a. Data Ownership. HEMSCap (GeniusPTNote) agrees that Customer Data (which shall also be known and treated by HEMSCap (GeniusPTNote) as Confidential Information is the exclusive property of Customer and HEMSCap (GeniusPTNote). Customer Data is and shall remain the sole and exclusive property of Customer and HEMSCap (GeniusPTNote). All right, title, and interest in is reserved by Customer (subject to the limited license granted above) and HEMSCap (GeniusPTNote) without limiting HEMSCap (GeniusPTNote)’s rights to Aggregated Statistics (as defined below).
b. Data Aggregation.
5. Product Access, Use, and maintenance.
6. Payment for Services.
a. Payment. Customer will pay all fees as specified by in exhibit A (the “Fees”) plus applicable State and local taxes associated with the Fee. Customer will provide HEMSCap (GeniusPTNote) with valid and updated credit card information or ACH information and will authorize HEMSCap (GeniusPTNote) to charge such credit card or authorize such ACH for Products. Customer is responsible for providing complete and accurate billing and contact information to HEMSCap (GeniusPTNote) and notifying HEMSCap (GeniusPTNote) of any changes to such information. HEMSCap (GeniusPTNote) may increase the Fees at its election by providing advance notice of such change (which may be delivered electronically)
b. Taxes.
7. Term and Termination.
a. Term of Agreement. Unless otherwise provided in the order or signup form, the initial term of this Agreement will commence on the Effective Date and will continue for pay as you go. The Customer pay in advance for the use of HEMSCap (GeniusPTNote) product.Unless earlier terminated in accordance with this Section 7.
b. Termination for Breach. Either Party may, at its option, terminate this Agreement in the event of a material breach by the other Party. Such termination may be effected only through a written notice to the breaching Party, sufficiently describing the nature of the breach. The Party receiving such notice shall have a right to cure such breach within thirty (30) days of receipt of such notice. If the breaching Party has not cured such breach or is not diligently pursuing a cure, the non-breaching Party may terminate this Agreement as of the date specified in such notice.
c. Effect of Termination. Upon any termination of this Agreement, (i) Customer will immediately discontinue all use of the Services, the Application Documentation, and any HEMSCap (GeniusPTNote) Confidential Information; (ii) return to the other Party or, at the other Party’s option, destroy, all copies of the Application Documentation and any Confidential Information then in the other Party’s possession.
d. Survival. Following termination, the provisions of the following sections shall survive: Retained Rights, Ownership, Third Party Products, Effect of Termination, Usage Restrictions, Confidentiality, Indemnification, Disclaimers and Limitations of Liability, Data Ownership, Survival, Arbitration, and General.
8. Confidentiality.
All Confidential Information of either Party will be held in confidence by the other Party. HEMSCap (GeniusPTNote) will not, nor knowingly permit others to release Personally Identifiable Information without the written consent of Customer. Neither Party will use (for itself or for any third party) or disclose, nor permit any other person or entity under its control to use or disclose any Confidential Information, except (A) to employees, agents, third party contractors, or representatives of the recipient who have a “need to know” the information and are subject to an obligation of confidentiality at least as restrictive as the restrictions contained in this Confidentiality section, (B) if required by law or legal process, (C) to enforce this Agreement, (D) to respond to claims that any content violates the rights of third parties, or (E) to protect the rights, property, or personal safety of the Parties, users of the Services or Customers of the public. Each Party will promptly notify the other Party if it receives a request for the other party’s Confidential Information (unless notice is prohibited by law),and will reasonably cooperate with the other Party’s efforts to seek protection from disclosure. Upon termination of this Agreement, the provisions of this Confidentiality section will survive for a period of three (3) years from the termination date, and each Party will either return to the other Party all Confidential Information of the other Party in its possession or control, or, at the other Party’s request, destroy any such Confidential Information. Notwithstanding the above, the obligations of confidentiality pertaining to trade secrets shall continue indefinitely.
9. Legal.
a. Certain Legal Actions.
b. Change of Ownership.
c. Audits and Investigations.
d. No Medical Advice. Customer acknowledges and agrees that (a) the Services are not considered as medical advice, (b) any use of the Services is not a substitute for professional judgment and does not relieve Customer from serving as the caretaker or medical provider to its patients, exercising the appropriate standard of care and professional judgment relevant to the treatment of patients, (c) information offered by HEMSCap (GeniusPTNote) in any particular situation does not constitute a recommendation or advice about any course of treatment or the practice of medicine, (d) Customer and its Authorized Users assume sole responsibility for their actions undertaken in connection with the use of the Services in their medical practice, and (e) Customer remains custodian of record for all documentation and information associated with its patients .
10. Third Party Products;
Third Party Data. HEMSCap (GeniusPTNote) makes no representation or warranties of any kind with respect to Third Party Products provided with or incorporated into the Service.
11. Warranty Disclaimers.
THE SERVICES, PRODUCT(S) AND ANY SOFTWARE PROVIDED IN CONNECTION WITH THE SERVICES BY HEMSCAP (GENIUSPTNOTE) IS PROVIDED ON AN “AS IS” BASIS. WHILE HEMSCAP (GENIUSPTNOTE) WILL EXERCISE ITS COMMERCIALLY REASONABLE EFFORTS TO PROVIDE THE SERVICES, HEMSCAP (GENIUSPTNOTE) DOES NOT MAKE, AND HEREBY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, OF ANY KIND OR NATURE WITH RESPECT TO THE SERVICES OR SUCH PROPERTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE. HEMSCAP (GENIUSPTNOTE) DOES NOT WARRANT OR GUARANTEE THE INTEGRITY OF THE SERVICES OR OF THE CONTENT, INFORMATION OR DATA TRANSMITTED THROUGH OR CONTAINED WITHIN ANY PORTION OF THE SERVICES. NEITHER HEMSCAP (GENIUSPTNOTE) NOR ANY OTHER PERSON OR ENTITY INVOLVED IN CREATING, PRODUCING OR DELIVERING ANY OF THE SERVICES PROMISES, REPRESENTS OR WARRANTS THAT THE SERVICES WILL BE TIMELY, UNINTERRUPTED OR ERROR FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE SERVICES OR THE SERVERS OR OTHER PROPERTY THAT ARE USED IN PROVIDING THE SERVICES WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.
12. Limitations of Liability; Remedies.
a. EXCEPT IN THE EVENT OF A BREACH OF A PARTY’S CONFIDENTIALITY OBLIGATIONS, OR OBLIGATIONS UNDER SECTION ______________, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING LOST PROFITS, COSTS OF DELAY, ANY FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR DOCUMENTATION OR LIABILITIES TO THIRD PARTIES ARISING FROM ANY SOURCE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION UPON DAMAGES AND CLAIMS IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. TO THE MAXIMUM EXTENT PERMITTED BY LAW AND EXCEPT FOR HEMSCAP (GENIUSPTNOTE)’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION, THE CUMULATIVE LIABILITY OF HEMSCAP (GENIUSPTNOTE) TO THE CUSTOMER FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY, WILL NOT EXCEED THE TOTAL AMOUNT OF ALL FEES PAID TO HEMSCAP (GENIUSPTNOTE) BY CUSTOMERIN THE TWELVE (12) MONTHS PRECEDING THE DATE ON WHICH THE APPLICABLE CLAIM AROSE. THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE OR WHETHER EITHER PARTY HAD KNOWLEDGE OF THE CAUSE OF ACTIONS RESULTING INTO ALLEGED LIABILITY.
b. Essential Basis of the Agreement.
13. Indemnification.
a. General Indemnity By Customer. Customer agrees to indemnify and hold HEMSCap (GeniusPTNote) (as well as its parents, subsidiaries, affiliates, officers, Customers, shareholders, employees, agents and representatives) harmless from any and all third-party claims, liability and expenses (including without limitation, reasonable attorneys’ fees) arising out of or related to (i) Customer’s use of the Services (unless the claim directly relates to HEMSCap (GeniusPTNote)’s misconduct), and/or (ii) any claim arising out of content posted or transmitted by any person or entity associated with or authorized by Customer (other than HEMSCap (GeniusPTNote)) through the use of the Services. HEMSCap (GeniusPTNote) reserves the right, to select counsel of its own choosing for and otherwise to control its own defense, of any matter subject to indemnification by Customer, which shall not excuse Customer’s indemnity obligations. Customer will not settle any third-party claim against HEMSCap (GeniusPTNote) unless such settlement completely and forever releases HEMSCap (GeniusPTNote) from all liability with respect to such claim or unless HEMSCap (GeniusPTNote) consents to such settlement.
b. Infringement Indemnity By HEMSCap (GeniusPTNote). HEMSCap (GeniusPTNote)agrees to indemnify and hold Customer (as well as its parents, subsidiaries, affiliates, officers, Customers, shareholders, employees, agents and representatives) harmless from any and all third-party claims, liability and expenses (including without limitation, reasonable attorneys’ fees) arising out of or related to the alleged infringement of such third party’s patent, trademark, copyright or trade secret rights under applicable laws within the United States of America, provided that Customer promptly notifies HEMSCap (GeniusPTNote) in writing of the claim, cooperates with HEMSCap (GeniusPTNote), and allows HEMSCap (GeniusPTNote) sole authority to control the defense and settlement of such claim. This Section 13.b shall not apply to the extent such alleged infringement arises from (i) any unauthorized modification of HEMSCap (GeniusPTNote)’s intellectual property by Customer; or (ii) Customer Data. HEMSCap (GeniusPTNote) will not settle any third-party claim against Customer unless such settlement completely and forever releases Customer from all liability with respect to such claim or unless Customer consents to such settlement. THIS SECTION STATES HEMSCAP (GENIUSPTNOTE)’S ENTIRE OBLIGATION AND LIABILITY WITH RESPECT TO ANY CLAIM OF INFRINGEMENT.
14. Arbitration.
a. Any controversy or claim arising out of or relating to this Agreement or any alleged breach of this Agreement shall be resolved by binding arbitration by the American Arbitration Association (“AAA”), under its Commercial Arbitration Rules, in Phoenix, Arizona. The arbitrator is not authorized to award punitive or other damages not measured by the prevailing party’s actual damages. Selection of the arbitrators shall be as follows: each party shall appoint one arbitrator within twenty (20) days after the initiating party files a Demand for Arbitration, and those two arbitrators shall appoint a third arbitrator who shall act as chairman, within a twenty (20) day period thereafter. If the parties fail to appoint the chairman within said period, the parties will apply to the American Arbitration Association for appointment of the third arbitrator.
b. Either party may apply to the arbitrator seeking injunctive relief until an arbitration award is rendered or the dispute is otherwise resolved. Either party also may, without waiving any other remedy, seek from any court having jurisdiction any interim or provisional relief that is necessary to protect the rights or property of such party pending the arbitrator’s appointment or decision on the merits of the dispute.
c. Judgement upon the arbitrator’s award may be entered in any court having jurisdiction. The arbitration proceeding and arbitrator’s award shall be maintained as strictly confidential, except as otherwise required by court order or as necessary to confirm, vacate or enforce the award and for disclosure in confidence to the parties’ respective attorneys.
d. Each Party shall bear its own costs, fees and expenses of arbitration.
15. General.
a. Severability. Should any provision of this Agreement be held by a court of competent jurisdiction to be illegal, invalid or unenforceable, such provision shall be deemed modified to the extent necessary (consistent with the intent of the Parties) to eliminate the illegal, invalid or unenforceable effect or to delete such provision if modification is not feasible, and the remaining terms shall continue in full force and effect.
b. Independent Contractors. In making and performing this Agreement, Customer and HEMSCap (GeniusPTNote) act and will act at all times as independent contractors, and, except as expressly set forth herein, nothing contained in this Agreement will be construed or implied to create an agency, partnership or employer and employee relationship between them.
c. Governing Law. This Agreement and all disputes arising under or related to it shall be governed by the laws of the State of Indiana, without regard to choice of law principles that would allow the application of another State’s law.
d. Inapplicability of UCITA. THE PARTIES AGREE THAT NO PROVISION OF THE UNIFORM COMPUTER INFORMATION TRANSACTIONS ACT (UCITA) IS INTENDED TO APPLY TO THE INTERPRETATIONS OF THIS AGREEMENT, WHETHER OR NOT UCITA IS ENACTED IN THE STATE WHOSE LAW GOVERNS THIS AGREEMENT.
16. Customer Responsibilities.
a. Documentation. Customer shall: (a) be responsible for providing all information necessary to complete and accurate document generation; (b) provide only information, diagnoses, assessments and codes which are fully supported in the patient medical record; Customeracknowledges and agrees that Customer is responsible for the accuracy of all information provided to HEMSCap (GeniusPTNote), and HEMSCap (GeniusPTNote) is entitled to rely on information (e.g., patient information, diagnosis and assessments) and instructions Customer provides.
17. Required Notices.
a. Insurance Coding. The parties understand and acknowledge that both private and governmental payers and insurers make frequent changes in their policies, rules, regulations and statutes which can occur during the term of this Agreement and which may materially affect whether and how claims for reimbursement must be documented, coded and submitted. Customer agrees to promptly provide to HEMSCap (GeniusPTNote) copies of any notices, including but not limited to, carrier bulletins, fraud alerts, industry publications, legal advice and the like it receives which relate to Customer’s methods or policies for the delivery of clinical services, documentation, coding or billing or which otherwise relates to parties’ duties under this Agreement.
b. Document Errors.
c. Notices to Government Agencies.
17. Party Compliance.
a. HEMSCap (GeniusPTNote) Certification. HEMSCap (GeniusPTNote) warrants and certifies that at as of the Effective Date of this Agreement: (a) neither it, nor its officers, directors or employees have been or are under a declaration of debarment or exclusion from participating in government contracting or participation in Medicare or Medicaid; (b) neither it, nor any of its officers, directors or employees is operating under or are otherwise subject to a Corporate Integrity Agreement (CIA); (c) neither it, nor any of its officers, directors or employees is aware of any pending investigation by any government agency relating in any way to its services; (d) neither it, nor its officers, directors or employees is currently a named defendant in criminal indictment or notification or a civil cause of action alleging a violation of the Civil False Claims Act or otherwise alleging the submission of false claims to any government or private insurer.
b. Customer Certification.
c. Compliance Programs.
Business Associate Agreement
This Business Associate Agreement (hereinafter referred to as “BAA”), is hereby entered into between Customer (“Covered Entity”) and HEMSCap Inc., an Indiana corporation (“Business Associate”).
Whereas Business Associate performs functions, activities, or services for or on behalf of Covered Entity, and Business Associate creates, receives, maintains, or transmits Protected Health Information (“PHI”), including Electronic Protected Health Information (“EPHI”), in order to perform such functions, activities, or services (referred to collectively as the “Services”);
Whereas the purpose of this BAA is to set forth the terms and conditions of PHI disclosure by Covered Entity to Business Associate; to set forth the terms and conditions of Business Associate’s use and disclosure of PHI; and to ensure the confidentiality, integrity, and availability of EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity;
Whereas it is the intent of Covered Entity and Business Associate that this BAA will meet the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the American Recovery and Reinvestment Act of 2009, Public Law 111-5 (“ARRA”), the Privacy Rule, the Security Rule, 45 C.F.R. Parts 160 and 164, and the Final HIPAA Omnibus Rule.
Now, therefore, in consideration of the mutual promises set forth in this BAA and other good and valuable consideration (the sufficiency and receipt of which are hereby severally acknowledged), the parties agree as follows:
1. Definitions. Unless otherwise specified in this BAA, all capitalized terms not otherwise defined shall have the meanings established in Title 45, Parts 160 and 164, of the United States Code of Federal Regulations, as amended from time to time, and/or in the American Recovery and Reinvestment Act of 2009 (“ARRA”). For purposes of clarification, the following terms shall have the definitions set forth below:
a. “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information as set forth in 45 C.F.R. Parts 160 and 164.
b. “Security Standards” shall mean the Security Standards for the Protection of Electronic Protected Health Information as set forth in 45 C.F.R. Parts 160 and 164.
2. Business Associate Obligations. Business Associate may create, receive, maintain, or transmit from or on behalf of Covered Entity health information that is protected under applicable state and/or federal law, including, without limitation, PHI. Business Associate shall not Use or Disclose the PHI other than as permitted or required by this BAA or as Required by Law. Business Associate agrees not to Use or Disclose (or permit the Use or Disclosure of) PHI in a manner that would violate the requirements of the Privacy Standards or the Security Standards if the PHI were Used or Disclosed by Covered Entity in the same manner, except as provided in Sections 3 and 4 of this BAA.
3. Use of PHI.
a. Administrative and Other Duties. Business Associate may Use PHI as necessary (i) for performing Services on behalf of Covered Entity, (ii) for the proper management and administration of the Business Associate, and (iii) for carrying out Business Associate’s legal responsibilities, provided in each case that such Uses are permitted under federal and state law.
b. Data Aggregation. Business Associate may provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B) and to Use, Disclose, and combine PHI created or received on behalf of Covered Entity by Business Associate pursuant to this BAA with PHI received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Covered Entity.
c. De-Identified PHI. Business Associate may de-identify any and all PHI created or received by Business Associate under this BAA. PHI that has been de-identified within the meaning of 45 CFR § 164.514(b) is no longer PHI and may be used or disclosed by Business Associate for any lawful purpose.
4. Disclosure of PHI. Business Associate may Disclose PHI as necessary to perform Services on behalf of Covered Entity. Additionally, Business Associate may Disclose PHI (i) for the proper management and administration of the Business Associate and (ii) to carry out Business Associate’s legal responsibilities, provided that either (a) the Disclosure is Required by Law or (b) the Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information will be held confidential and further Used and Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person and such person agrees to immediately notify the Business Associate of any instances of which he or she is aware that the confidentiality of the information has been breached. Business Associate will determine the amount of PHI necessary to accomplish the intended purpose of disclosure and will make reasonable efforts to limit the receipt, use, and disclosure of PHI to the minimum necessary as required by the Privacy Laws.
5. Reports. Business Associate agrees to report to Covered Entity:
a. Any Breach of Unsecured PHI. Each report of a Breach of Unsecured PHI Discovered by Business Associate, unless delayed for law enforcement purposes, shall be made without delay and in no case later than thirty (30) calendar days after Discovery of the Breach. Such report shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, Used, or Disclosed during such Breach and any other available information Covered Entity is required to include in notification to the affected Individual(s) under 45 C.F.R. § 164.404(c);
b. Any Security Incident. Any Security Incident within thirty (30) calendar days of the Business Associate becoming aware of such unauthorized Use or Disclosure. For Security Incidents that do not result in access to or a Use or Disclosure of EPHI in violation of this BAA (an “Unsuccessful Security Incident”), will be deemed as notice to Covered Entity that Business Associate periodically receives unsuccessful attempts for unauthorized access, Use, Disclosure, modification, or destruction of information or interference with the general operation of Business Associate’s information systems and the Services, including pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denial-of-service attacks, and, even if such events are defined as a Security Incident under the HIPAA Rules, Business Associate will not provide any further notice regarding such unsuccessful attempts. To the extent required by the Security Rule, Business Associate will record or otherwise log all Unsuccessful Security Incidents, will maintain such records for the period required under the Security Rule, and will, upon Covered Entity’s written request, provide a copy of any such records to Covered Entity.
6. Safeguards. Business Associate will use appropriate safeguards and comply, where applicable, with 45 C.F.R 164 Subpart C with respect to EPHI to prevent Use or Disclosure of the information other than as provided for by this BAA.
7. Subcontractors. Business Associate shall require Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree in writing to the same or similar restrictions and conditions that apply to the Business Associate under this BAA, including but not limited to, compliance with the applicable requirements of 45 C.F.R. Parts 160 and 164. Such agreement between Business Associate and the Subcontractor must be made in writing and must comply with the terms of this BAA and the requirements outlined in 45 C.F.R. § 164.504(e) and 164.314.
8. Individual Rights to Access and Amend.
a. Access. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall permit an Individual to inspect or copy PHI contained in that Designated Record Set about the Individual in accordance with the Privacy Standards set forth in 45 C.F.R. § 164.524, as it may be amended from time to time unless excepted or a basis for denial exists under 45 C.F.R. § 164.524, as determined by the Covered Entity. In the event that a Business Associate uses or maintains an Electronic Health Record on behalf of Covered Entity, then an Individual’s right of access under 45 C.F.R. § 164.524 shall include the right to obtain a copy of the PHI in an electronic format—if the Individual chooses in a clear, conspicuous, and specific manner to direct the Business Associate to transmit such copy to any person designated by the Individual. Business Associate shall respond to any request from Covered Entity for access by an Individual within five (5) days of such request unless otherwise agreed to by Covered Entity. The information shall be provided in the form or format requested (if it is readily producible in such form or format) or in summary if the Individual has agreed in advance to accept the information in summary form. A reasonable, cost-based fee may be charged for copying PHI or providing a summary of PHI in accordance with 45 C.F.R. § 164.524(c)(4), provided that any such fee relating to a copy or summary of PHI is not greater than the labor, supplies, and postage costs incurred in response to the request for the copy or summary.
b. Amendment. Business Associate shall accommodate an Individual’s right to amend PHI about the Individual in a Designated Record Set in accordance with the Privacy Standards set forth at 45 C.F.R. § 164.526, as it may be amended from time to time unless excepted or a basis for denial exists under 45 C.F.R. § 164.526, as determined by the Covered Entity. Covered Entity shall determine whether a denial of an amendment request is appropriate or an exception applies. Business Associate shall notify Covered Entity within five (5) days of receipt of any request for amendment by an Individual and shall make any amendment requested by Covered Entity within ten (10) days of such request. Business Associate shall have a process in place for handling requests for amendments and for appending such requests to the Designated Record Set when required by 45 C.F.R. § 164.526.
9. Accounting of Disclosures
a. General Accounting Provisions. Business Associate shall make available to Covered Entity, in response to a request from an Individual, information required for an accounting of Disclosures of PHI with respect to the Individual, in accordance with 45 C.F.R. § 164.528, as it may be amended from time to time, unless an exception to such accounting exists under 45 C.F.R. § 164.528. Business Associate shall provide such information necessary to provide an accounting within thirty (30) days of Covered Entity’s request.
b. Fees for an Accounting. Any accounting provided under Section 9.1 must be provided without cost to the Individual or to Covered Entity if it is the first accounting requested by an Individual within any twelve (12) month period. However, a reasonable, cost-based fee may be charged for subsequent accountings if Business Associate informs the Covered Entity and the Covered Entity informs the Individual in advance of the fee. At this time, the Individual must be afforded an opportunity to withdraw or modify the request.
10. Withdrawal of Consent or Authorization.
If the Use or Disclosure of PHI in this BAA is based upon an Individual’s specific consent or authorization for the Use or Disclosure of his or her PHI and (i) the Individual revokes such consent or authorization in writing, (ii) the effective date of such authorization has expired, or (iii) the consent or authorization is found to be defective in any manner that renders it invalid, Business Associate agrees, as long as it has notice of such revocation or invalidity, to cease the Use and Disclosure of any such Individual’s PHI except to the extent it has relied on such Use or Disclosure or where an exception under the Privacy Standards expressly applies.
11. Records and Audit.
Business Associate shall make available to Covered Entity and to the Secretary or its agents, its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by, Business Associate on behalf of Covered Entity for the purpose of determining Covered Entity’s compliance with the Privacy Standards and the Security Standards in a timely manner designated by Covered Entity or the Secretary. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity immediately upon receipt of any and all requests served upon Business Associate by or on behalf of any and all government authorities relating to PHI received from, or created or received by, Business Associate on behalf of Covered Entity.
12. Notice of Privacy Practices.
Covered Entity shall provide to Business Associate its Notice of Privacy Practices (“Notice”), including any amendments to the Notice. Business Associate agrees that it will abide by any limitations set forth in the Notice, as it may be amended from time to time, of which it has knowledge. An amended Notice shall not affect permitted Uses and Disclosures on which Business Associate has relied prior to receipt of such Notice.
13. Compliance with Law.
To the extent Business Associate is to carry out Covered Entity’s obligation under the Privacy Standards, Business Associate shall comply with the requirements of the Privacy Standards that apply to Covered Entity in the performance of such obligation.
14. Prohibition of Sale of PHI and use of PHI for Marketing.
Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, nor will it Use or Disclose PHI for fundraising and/or marketing purposes, except with the Covered Entity’s prior written consent and in accordance with applicable Privacy Laws.
15. Term and Termination.
a. PHI Disposition. This BAA shall remain in effect until all PHI received from, or created or received by, Business Associate on behalf of Covered Entity is returned to Covered Entity or destroyed in accordance with Section 15.4.
b. Material Breach. Upon either Party’s knowledge of a material breach of this BAA by the other Party, the non-breaching Party must (i) provide an opportunity for the breaching Party to cure the breach or end the violation, and, if the breaching Party does not cure the breach or end the violation within the time specified by the non-breaching Party, the non-breaching Party shall terminate this BAA and any underlying agreements that give rise to the business associate relationship described in this BAA (“Underlying Agreements”); or (ii) immediately terminate this BAA and any Underlying Agreements.
c. Underlying Agreement. This BAA shall terminate simultaneously without additional notice upon the termination of any Underlying Agreement related to the Services or, if there is no Underlying Agreement, upon termination of the Services.
d. Effect of Termination. Upon termination of this BAA for any reason, Business Associate agrees either to return to Covered Entity or to destroy all PHI received from or created or received by Business Associate on behalf of Covered Entity that is in the possession or control of Business Associate or its Subcontractors. If it is not feasible to return or destroy the information, Business Associate shall continue to comply with the terms in this BAA with respect to such PHI and shall comply with other applicable state or federal law.
16. Miscellaneous
a. Notice. All notices, requests, demands, and other communications required or permitted to be given or made under this BAA shall be in writing, effective upon receipt or attempted delivery, and sent by (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; or (iii) overnight delivery service with proof of delivery. Notices to Business Associate shall be sent to:HEMSCap Inc.
b. Third-Party Beneficiaries. There are no third-party beneficiaries to this BAA. Business Associate’s obligations are to the Covered Entity only
c. Successors and Assigns. This BAA will inure to the benefit of, and be binding upon, the successors and assigns of the parties. However, this BAA is not assignable by any party without the prior written consent of the other parties. However, either party may, without the written consent of the other, assign this Agreement and its rights and obligations hereunder in connection with the transfer or sale of all or substantially all of its business related to this Agreement, or in the event of a merger, consolidation, change in control or similar transaction.
d. Counterparts. This BAA may be executed in counterparts, by manual, electronic, or facsimile signature, each of which will be deemed an original and all of which together will constitute one and the same instrument.
e. Interpretation. Any ambiguity herein must be resolved in favor of a meaning that permits both Covered Entity and Business Associate to comply with Applicable Privacy Laws, consistent with the Terms of Services.
