TERMS AND CONDITIONS
The Services Agreement (“Agreement”) between GHDS and Client consists of these Terms and Conditions (the “T&Cs”), one or more Service Orders, and, if applicable, the Business Associate Agreement set forth below (the “BAA”). These T&Cs shall apply to each Service Order executed by GHDS and Client.
- "Affiliate” means, with respect to a given person or entity, a person or entity that directly or indirectly controls, is controlled by, or is under common control with, such person or entity.
- “API” means application programming interface.
- “Authorized Data” means User Data authorized by End Users to be provided to Client via the Client App.
- “Billing Start Date” means the date that is the earlier to occur of (x) the thirtieth (30th) day following the Effective Date, and (y) the Go-Live Date.
- “Client” means the party identified as such on the applicable Service Order.
- “Client App” means the Client-operated web site portal or web/mobile application indicated on the Service Order through which it would like the End Users to access their User Data.
- “Effective Date” means the date identified as such on the Service Order.
- “End User” means the authorized end users of the Client App.
- “GHDS” means Greenlight Health Data Solutions, Inc., a Delaware corporation.
- “Go-Live Date” means the sixtieth (60th) day following the Effective Date.
- “Go-Live Notice” means a notice given by Client to GHDS at any time prior to the sixtieth (60th) day following the Effective Date, that Client desires to access to the Service’s production environment prior to the end of such 60-day period.
- “Sandbox” means the Service’s development and testing environment.
- “Service Order” means the document captioned “Services Agreement Order Form” (or is similarly styled) that is executed by Client and GHDS and expressly refers to these T&Cs and the Agreement.
- “Service” means the Greenlight software and technology that can (i) collect Authorized Data from Third Party Apps, (ii) normalize and collate Authorized Data, and (iii) permit Client, through the Service’s API, to access the Authorized Data of an End User by matching that Authorized Data to such End User using confidential End User IDs and authorization tokens.
- “Third Party Apps” means those third party applications and devices that collect User Data and store it on servers owned or controlled by each Third Party App’s owner.
- “User Data” means each End User’s personal health and activity information that is collected by Third Party Apps.
Any capitalized terms used but not defined in these T&Cs shall have the meanings ascribed to them in the Service Order.
2. THE SERVICE.
As of the Effective Date, GHDS grants to Client, and Client accepts, a non-exclusive, nontransferable right to access the Sandbox, which will permit Client to test the Service using replica patient data in a non-production environment. Beginning on the sixtieth (60th) day following the Effective Date, (i) the provisions of Section 2(b) shall apply to Client’s access to the Service, and (ii) Client’s access to the Sandbox shall continue for the remainder of the Term; provided, however, that if Client gives a Go-Live Notice, then the Go-Live Date shall be the date that GHDS receives such Go-Live Notice.
As of the Go-Live Date, and subject to the terms and conditions of these T&Cs (including Section 2(c)), GHDS grants to Client, and Client accepts, a non-exclusive, nontransferable (except as set forth in Section 14(c).), right to access the Service using the API to obtain Authorized Data for each registered End User solely for the purpose of making available to such End User through the Client App such Authorized Data (or information based on such Authorized Data) in a manner that is in compliance with these T&Cs (the “Permitted Uses”). All Third Party Apps are owned and maintained by third parties and GHDS is not responsible for the malfunction or other failure of any Third Party App. GHDS may add or remove Third Party Apps to its list of supported Third Party Apps from time to time during the Term; provided, however, that GHDS shall not discontinue supporting any Third Party App during the Term unless (i) GHDS determines, in its sole discretion, that it is not commercially reasonable to continue to support such Third Party App, or (ii) the owner of such Third Party App terminates the End Users’ right and/or the Service’s ability to obtain Authorized Data from that Third Party App. GHDS shall provide Client with prompt notice of any such discontinuance of support for any Third Party App.
Client’s access to the Service’s production environment shall be subject to the terms and conditions set forth on Exhibit B (the “Go-Live Requirements”).
3. CONNECTION TO THE API.
The documentation for the Service’s API is available upon request. Within ninety (90) days from the Effective Date, Client’s connection to the Service’s API shall be functional in all material respects so that Authorized Data can be exchanged between its systems and the Service’s API. Client shall be solely responsible for such implementation, including, without limitation, formatting its data and system so that Authorized Data can be exchanged between Client’s system and the Service’s API. During the Term of the Agreement, GHDS may make those commercially reasonable updates, upgrades, improvements, enhancements and/or modifications to its Service and its API that it considers to be appropriate. Should GHDS modify the most current version of the Service’s API available to Client as of the Effective Date in any manner that would require Client to reformat its data and system to use the modified API, GHDS shall continue to maintain and support the earlier version of the Service’s API as an alternative means of transmitting data to Client during the then-current Term of the Agreement.
4. PROPRIETARY RIGHTS; AUTHORIZED USE OF THE SERVICE.
As between the parties, all intellectual property and proprietary rights in the Service and its API shall remain the sole and exclusive property of GHDS. Client shall not, and shall not permit any other person to, access or use the Service or its API except as expressly permitted herein. Without limiting the generality of the foregoing, Client shall not (a) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available the Service or its API to any third party, including on or in connection with the internet or any time-sharing, service bureau, software as a service, cloud, or other technology or service; or (b) access or use the Service or its API for any purpose that is to GHDS’s detriment or commercial disadvantage; or (c) otherwise access or use the Service or its API beyond the scope of the Permitted Uses.
Client shall be solely responsible for registering each End User on the Client App and ensuring that each End User expressly (i) designates any healthcare providers (“Providers”) and Third Party Apps from which that End User’s Authorized Data is to be collected, (ii) authorizes the collection of such End User’s Authorized Data from such Providers and/or Third Party Apps by the Service for use on the Client App, and (iii) agrees to the Permitted Uses of such End User’s Authorized Data. For purposes hereof, the Permitted Uses shall be deemed to include (A) GHDS’s use of Authorized Data to create de-identified information (subject to Section 5(d), if applicable), and (B) GHDS’s use or disclosure of the resulting de-identified information for any lawful purpose. Client shall not use or disclose any End User’s Authorized Data for any purpose other than the Permitted Uses without the express prior written consent of the End User.
Client shall comply with any applicable obligations under any applicable laws, rules and regulations with respect to its use, storage and disclosure of Authorized Data.
Client acknowledges that, as between GHDS and Client, Client shall be solely responsible for all use, storage, and disclosure of Authorized Data received by it.
If Client is a “covered entity” (or is acting as a “business associate” to a covered entity) for purposes of the Health Insurance Portability and Accountability Act of 1996, as amended, then Client and GHDS acknowledge and agree that the BAA attached as Exhibit C is hereby incorporated into the Agreement by this reference.
Client shall provide its End Users with a copy of (or link to) GHDS’s Privacy Statement for the Service, which is available at https://greenlighthealth.com/greenlight-health-privacy-statement/, before giving each End User access to the Service through the Client App.
Client shall pay to GHDS the Fees for the Service set forth on the Fee Schedule attached to the Service Order. On each anniversary of the Effective Date, GHDS may increase such rates and Fees upon notice to Client; provided, however, that such increases shall not be implemented more than once in any twelve (12) month period. GHDS shall give Client sixty (60) days’ notice of such increase prior to its effective date. All Fees shall be paid in U.S. dollars no later than thirty (30) days after the date of invoice. All payments not received when due shall accrue interest at a rate per month of one and one-half percent (1.5%). Billing for Fees shall commence on the Billing Start Date. Fees shall be subject to proration for any partial months during the Term.
During the Term of the Agreement, GHDS shall provide Client with support and service levels for the Service in accordance with Exhibit A.
Each party agrees that, without the express consent of the disclosing party, the receiving party shall not use for any purpose other than performance of the Agreement or disclose to any third party any information or material of the disclosing party designated in writing as confidential or that the receiving party should reasonably believe to be confidential based on its content and/or context (including the terms of the Agreement and information pertaining to the Service) unless such information or material is: (a) at the time of its disclosure, previously known by or in the possession of the receiving party without restriction; (b) in the public domain or becomes generally known or published through no fault of the receiving party; (c) lawfully disclosed to the receiving party by a third party free to disclose such information; (d) independently developed or owned by the receiving party; or (e) required to be disclosed pursuant to applicable law. This obligation of confidentiality shall survive the expiration or termination of the Agreement for a period of five years; provided that trade secrets will remain protected by this Section 8 for as long as they constitute trade secrets under applicable law.
GHDS warrants and represents that, during the Term of the Agreement, the Service will perform, in all material respects, in accordance with its then-current published functional specifications.
10. DISCLAIMER OF WARRANTY.
EXCEPT AS EXPRESSLY SET FORTH IN SECTION 9, ABOVE, GHDS MAKES NO WARRANTIES REGARDING THE SERVICE, AND GHDS HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, WITH RESPECT TO THE SERVICE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, COMPATIBILITY OR SECURITY. GHDS DOES NOT WARRANT THAT ACCESS TO OR USE OF THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT ALL DEFECTS AND ERRORS IN THE SERVICE WILL BE CORRECTED, OR THAT THE SERVICE WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. GHDS DOES NOT PROVIDE ANY WARRANTIES REGARDING THE ACCURACY OF DATA OR INFORMATION PROVIDED BY THIRD PARTIES.
11. LIMITATION OF LIABILITY.
NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THE AGREEMENT, GHDS AND ITS SHAREHOLDERS, AFFILIATES, DIRECTORS, OFFICERS, EMPLOYEES AND OTHER REPRESENTATIVES SHALL NOT BE LIABLE TO CLIENT, END USERS OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, EXEMPLARY, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING ANY DAMAGES FOR BUSINESS INTERRUPTION, LOSS OF DATA, LOSS OF USE, ATTORNEYS’ FEES, LOST REVENUES OR LOST PROFITS), WHETHER ARISING OUT OF BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE AND WHETHER OR NOT GHDS HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.
IN ANY EVENT, GHDS’S AGGREGATE LIABILITY FOR DAMAGES, LOSSES, COSTS, AND EXPENSES ARISING OUT OF OR RELATED TO THE AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, SHALL NOT EXCEED THE AMOUNTS RECEIVED BY GHDS FROM CLIENT PURSUANT TO THE AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM. THE FOREGOING LIMITATIONS SHALL APPLY EVEN IF THE CLIENT’S REMEDIES UNDER THE AGREEMENT FAIL OF THEIR ESSENTIAL PURPOSE.
GHDS shall indemnify, defend and hold Client harmless from and against any and all loss or damage in connection with a third party claim (including any governmental claim) arising out of any actual or threatened claim that the Service infringes upon or misappropriates any registered United States copyright, patent or trademark of any third party, except to the extent such loss or damage arises out of or relates to the use of the Service by Client or any End User in combination with other data products, processes or materials not provided by GHDS and such infringement would not have occurred but for Client’s (or such End User’s) combination.
Client shall indemnify, defend and hold GHDS harmless from and against any and all loss or damage arising out of a third-party claim against GHDS (including any governmental claim) resulting from Client’s (i) use of the Service (or use of the Service by any of Client’s End Users), including, without limitation, any third-party claim alleging that the Service’s collection of the Authorized Data was not authorized by the applicable End User and/or owner of any Third Party App, or (ii) the failure by Client to comply with its obligations with respect to data under Section 5, except to the extent such loss or damage arises out of or relates to GHDS’s (a) gross negligence or intentional misconduct, or (b) failure to comply with its obligations under Section 5.
Each party’s obligation of indemnification is contingent upon the other party promptly notifying the indemnifying party of any such claim, providing the indemnifying party with exclusive control of the defense and/or settlement thereof, and cooperating with the indemnifying party in such defense and/or settlement. In the event that the Service becomes or is in GHDS’s reasonable discretion likely to become the subject of any injunction preventing its use in the manner contemplated in the Agreement, or that GHDS reasonably determines that the Service is likely to infringe or violate any third party’s United States registered patent, copyright or trademark, or that the use of the Service is likely to violate HIPAA, GHDS may, at its option, (A) procure for Client the right to continue to use the Service in the manner permitted hereunder, without the payment of any additional fees by Client to any such third party; (B) replace or modify the Service so that it is compliant with HIPAA and/or non-infringing while continuing to perform all its material functions or (C) if in GHDS’s reasonable opinion it is not commercially reasonable for GHDS to take the actions set forth in (A) or (B), terminate the Agreement and release Client from any further payment obligations. Subject to the terms of Section 11 hereof, this Section 12 states GHDS’s sole liability and Client’s exclusive remedy for third party claims with respect to the Service or the Authorized Data.
13. TERM AND TERMINATION.
Term. The initial term of the Agreement shall commence on the Effective Date and shall continue through the end of the period indicated on the Service Order, unless earlier terminated for breach in the manner provided below. The Agreement shall automatically renew for subsequent periods of a monthly duration unless either party provides the other party with written notice of its intent not to renew at least 30 days prior to the end of the initial term or any such renewal term. The initial term and any renewal terms are cumulatively referred to as the “Term”.
Termination for Breach. In the event of a material breach by either party that is not cured within 30 days of receipt of written notice thereof from the other party, the non-breaching party may, by written notice to the breaching party, (i) terminate the Agreement, (ii) terminate or suspend the provision of the Service hereunder, and/or (iii) pursue other legal and equitable rights and remedies to which it may be entitled.
Effect of Termination or Expiration. Upon termination or expiration of the Agreement, the rights and obligations hereunder shall terminate immediately, except that (i) any payment or other obligation that has accrued as of the date thereof shall survive and continue in full force and effect, and (ii) the provisions of Section 4 (Proprietary Rights) Section 5 (Data), Section 8 (Confidentiality), Section 10 (Disclaimer of Warranty), Section 11 (Limitation of Liability), Section 12 (Indemnification) and Section 14 (Miscellaneous) shall all survive and continue in full force and effect.
Entire Agreement. The parties agree that the Agreement represents the complete and exclusive statement of the agreement between the parties and supersedes any proposal or prior oral or written agreement, or any other communications relating to the subject matter of the Agreement. The Agreement may be amended, modified or supplemented only by written agreement of both of the parties.
Governing Law. The Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to the choice of law provisions thereof. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to the Agreement. Any contract dispute or claim arising out of, or in connection with, the Agreement shall be finally settled by binding arbitration in Raleigh, North Carolina, in accordance with N.C. Gen. Stat. §1-569.1 et seq. (the “Revised Uniform Arbitration Act”) and the then current rules and procedures of the American Arbitration Association by one (1) arbitrator appointed by the American Arbitration Association. The arbitrator shall apply the law of the State of North Carolina, without reference to rules of conflict of law or statutory rules of arbitration, to the merits of any dispute or claim. Judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. In the event that any arbitration, action or proceeding is brought in connection with the Agreement, the prevailing party shall be entitled to recover its costs and reasonable attorneys’ fees in accordance with N.C. Gen. Stat. §6-21.6. Notwithstanding the foregoing, nothing herein shall preclude either party from seeking injunctive relief in any state or federal court of competent jurisdiction without first complying with the arbitration provisions of this Section.
Assignment. Client shall not assign the Agreement or any of its rights or obligations under the Agreement without the prior written consent of GHDS. The Agreement shall be binding upon and shall inure to the benefit of the parties’ respective successors and permitted assigns. Any purported assignment in violation of the foregoing shall be void.
Severability; Waiver. If any term of the Agreement shall be found invalid, the term shall be modified or omitted to the extent necessary, and the remainder of the Agreement shall continue in full effect. The waiver by either party of a breach of any provision of the Agreement shall not constitute or be construed as a waiver of any future breach of any provision of the Agreement.
Notice. All notices required to be given under the terms of the Agreement or which any of the parties hereto may desire to give hereunder, shall be in writing, shall be delivered via one of the following methods, and shall be deemed to have been received: (i) on the day given delivered by hand (securing a receipt evidencing such delivery); or (ii) on the second day after such notice is sent by a nationally recognized overnight courier service, full delivery cost paid; or (iii) on the fifth day after such notice was mailed, registered U.S. mail, postage prepaid, return receipt requested, and addressed to the party to be notified at the address set forth for such party in the Service Order (or to such other address as such party may designate by notice to the other party from time to time in accordance with this Section).
No Rights in Third Parties. The Agreement does not grant any rights or remedies to any person or entity that is not a party to the Agreement. No person or entity is a third party beneficiary of the Agreement.
Independent Contractors. The parties shall be independent contractors and the relationship between the parties shall not constitute a partnership, joint venture or agency. No party shall have the authority to make any statements, representations or commitments of any kind, or to take any action, which shall be binding on the other party, without the prior written consent of such other party.
Force Majeure. Each party will be excused from delays in performing or from failing to perform its obligations under the Agreement to the extent the delays or failures result from causes beyond the reasonable control of such party, for so long as such party acts diligently to attempt to remedy the cause of any such delay or failure.
Support & Service Levels
During the Term, GHDS shall provide Client with the following support services and service levels for the Service:
E-mail technical support: During the hours of 8 a.m. to 5 p.m., Monday through Friday (but excluding federal holidays), GHDS will respond to Client’s technical support-related e-mails within 24 hours of receipt.
Uptime Service Levels: The Service will function and be available to Client as provided in this Agreement with an Availability of 99.9% or better. If the Service’s Availability noncompliance for any month is from 99% to 99.9%, Client will be credited 5% of its monthly Fees. If GHDS’s Availability noncompliance for any month is from 95% to 99%, the credit will be 15%) of the monthly Fees. If GHDS’s Availability noncompliance for any month is less than 95%, the credit will be 30% of the monthly Fees.
“Actual Uptime” means the time that the Service is actually available for use by Client as contemplated by this Agreement during a calendar month, as calculated by subtracting Downtime from Scheduled Uptime.
“Availability” means the Actual Uptime expressed as a percentage of the Scheduled Uptime for the Service.
“Downtime” means the aggregate duration of Outages during the applicable Scheduled Uptime during a calendar month.
“Non-Peak Hours” will be the hours between 8pm and 8am, Eastern Time.
“Outage” means any time during which the Service is not available for use by Client as contemplated by this Agreement for more than 5 consecutive minutes.
“Scheduled Maintenance” means periods of time, not to exceed 8 hours per month and that will take place during Non-Peak Hours, during which GHDS performs scheduled maintenance on the Service.
“Scheduled Uptime” means 24 hours per day, 7 days per week, but excluding any periods of Scheduled Maintenance.
Connectivity List & Service Levels: A list of Third Party Apps that the Service can access (the “Connectivity List”) will be posted and updated from time to time in GHDS’s Developer Portal. The Connectivity List will designate each listed Third Party App as being in one of three (3) categories, with each category having the Retrieval Rate and Average Time to Validation indicated in the table below:
Average Time to Validation
No specified Retrieval Rate
No specified Average Time to Validation
“Retrieval Rate” means the rate at which the Service is able to successfully retrieve data with a given Third Party App (i.e., the number of successful retrieval attempts to such portal divided by all retrieval attempts to such portal, with the result expressed as a percentage). In calculating the Retrieval Rate, only retrieval attempts that include the applicable End User’s complete and valid login credentials shall be taken into account.
“Average Time to Validation” means the amount of time that the Service takes to validate data retrieval and begin retrieving data from a given Third Party App.
The above service levels shall not be applicable to instances involving user error.
These measurements shall be taken quarterly.
Adding Connectivity to Unsupported Portals: With respect to Third Party Apps in the Unsupported category, Client may make a written request to add connectivity to such portals. GHDS shall respond to such requests within twenty-four (24) hours (during GHDS’s normal business hours) and provide Client with a written estimate of the time it will take to add such connectivity and any additional cost to the Client for doing so. If Client desires GHDS to proceed with adding such connectivity to an Unsupported Third Party App, the parties shall enter into a separate statement of work for such added connectivity.
Unidentified Apps: With respect to Third Party Apps that GHDS cannot readily distinguish online and are not mapped in GHDS’s existing directory (“Unidentified Apps”), Client shall use good faith efforts to obtain additional information from the applicable End User(s) in order to assist GHDS in determining whether such Unidentified Apps constitute Tier 1, Tier 2 or Unsupported Third Party Apps. GHDS shall have no liability for lack of connectivity to Unidentified Apps, but, subject to Client’s provision of additional information, GHDS shall use good faith efforts to determine whether such Unidentified Apps are ultimately identifiable.
Connectivity Repairs: In the event that the Service’s connectivity to a Tier 1 or Tier 2 Third Party App is lost or materially diminished, GHDS shall use best efforts to repair the connectivity within the following timeframes:
5 business days
10 business days
The above-stated repair timeframes shall not apply to Third Party Apps that have been modified in manner that (a) employs multi-factor authentication, or (b) otherwise materially affects the Service’s ability to connect with and access the Authorized Data stored therein.
Client shall provide the following to GHDS prior to Client being given access to the Service’s production environment:
Formal Demo – Client shall provide GHDS with a formal demonstration of the Client App (and the use case for which it will utilize the Service) (a “Formal Demo”). Formal Demos will be scheduled as live sessions with the GHDS team so that GHDS and Client can engage in a formal Q&A. With Client’s prior written consent, the Formal Demo would be recorded by GHDS. If feasible, Client will also provide GHDS with a direct URL to the Client App for GHDS’s internal testing purposes. Any recordings of the Formal Demo shall be used solely for GHDS’s internal purposes to train staff and help them understand the integration use case being leveraged by the Client App.
Documentation and Reference to Security and Architecture – Client shall deliver to GHDS a brief (i.e., 2–3 page) document or white paper outlining the Client App’s use and management of End User data. In addition, Client shall deliver to GHDS written descriptions of:
The Client App’s infrastructure provider;
The Client App’s data encryption specifications, both in-transit and at-rest; and
Client’s access to data, both physical and logical, via the Client App, including:
Client’s internal data security policies and safeguards;
Data security policies and safeguards of any third-party vendors used by Client in connection with the Client App (if relevant); and
The Client App’s data security policies and safeguards.
Business Associate Agreement
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 C.F.R. Parts 160 and 164, subparts C, D, and E (the “HIPAA Security Rule”, “Breach Notice Rule”, and “Privacy Rule”, respectively); and
WHEREAS, the American Recovery and Reinvestment Act (“ARRA“) of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security, Breach Notice and Privacy Rules (hereinafter, all references to the HIPAA Security Rule, Breach Notice Rule or Privacy Rule are deemed to include all amendments to such rules contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, GHDS (for purposes of this BAA, “Business Associate”) and Client have entered into a Services Agreement to which this Business Associate Agreement is attached as an Exhibit (the “Services Agreement”) and whereby Business Associate will provide certain services to Client, and, pursuant to the Services Agreement, Business Associate may be considered a “business associate” of Client as defined in HIPAA or the HIPAA Security Rule, Breach Notice Rule or Privacy Rule; and
WHEREAS, Business Associate may have access to Protected Health Information, as defined below, in fulfilling its responsibilities under such arrangement.
NOW, THEREFORE, by execution of the Services Agreement and into which this Business Associate Agreement is incorporated by reference pursuant to Section 5(d) thereof, Business Associate and Client (each a “Party” and collectively the “Parties”) hereby agree to the terms and conditions hereof.
Terms used but not otherwise defined in this Business Associate Agreement shall have the same meanings as the meanings ascribed to those terms in (a) HIPAA, the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. § 17901 (the “HITECH” Act), and any current and future regulations promulgated under HIPAA or HITECH, and (b) the Services Agreement.
1.1 “Breach” shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:
- (a) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Client or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
- (b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Client or Business Associate to another person authorized to access Protected Health Information at Client or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or
- (c) A disclosure of Protected Health Information where Client or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
1.2 “Designated Record Set” means a group of records maintained by or for a Client that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Client to make decisions about Individuals.
1.3 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Rule.
1.4 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.5 “HIPAA Breach Notice Rule” shall mean Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. part 164, subpart D.
1.6 “HIPAA Privacy Rule” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 164, subpart E.
1.7 “HIPAA Security Rule” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 164, subpart C.
1.8 “Individually Identifiable Information” means information that is a subset of health information, including demographic information collected from an individual, and:
- (a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
- (b) relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.9 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Client including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined above. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Client and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Client or its operating units to Business Associate or is created or received by Business Associate on Client’s behalf shall be subject to this Business Associate Agreement.
1.10 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
1.11 “Unsecured Protected Health Information” or “Unsecured PHI” shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in the HIPAA Breach Notice Rule.
Obligations of Business Associate
2.1 General Use or Disclosure of PHI. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Client, if such use or disclosure would not violate HIPAA if done by Client.
2.2 Limited Use or Disclosure of PHI. Business Associate will not sell PHI, receive any form of remuneration in exchange for PHI, or use or disclose PHI for marketing or fund raising purposes without valid authorization. In addition, Business Associate will not use or further disclose Protected Health Information for any purpose other than:
- (a) to perform the services agreed to by the Parties;
- (b) for the proper management and administration of Business Associate or in accordance with its legal responsibilities, provided that for any such disclosure:
- the disclosure is required by law; or
- Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
- (c) to provide data aggregation services relating to health care operations of Client (for purposes of this Business Associate Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities);
- (d) to report violations of the law to law enforcement; or
- (e) to create de-identified information consistent with the standards set forth at 45 C.F.R. § 164.514 (and the resulting de-identified information shall not be subject to the terms of this Business Associate Agreement).
2.3 Subcontractors. Business Associate agrees to take reasonable measures to ensure that any subcontractor to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Client, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of such Protected Health Information.
2.4 Safeguards. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Client and comply with applicable provisions of the HIPAA Security Rule.
2.5 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Unsecured Protected Health Information by Business Associate in violation of this Business Associate Agreement.
2.6 Compliance. Business Associate will comply with all applicable requirements of the HIPPA Privacy Rule, including those contained in 45 C.F.R. §§ 164.502(e) and 164.504(e)(1)(ii). To the extent Business Associate performs any of Client’s obligations under the HIPAA Privacy Rule, Business Associate will comply with the requirements of the HIPAA Privacy Rule that apply to Client in the performance of those obligations. C.F.R..
2.7 Notice of Use or Disclosure, Security Incident or Breach.
Business Associate agrees to notify Client of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. § 164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of a Breach. Business Associate shall provide the following information in such notice to Client, to the extent such information is available:
- the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;
- a description of the nature of the Breach including the types of Unsecured PHI that were involved, the date of the Breach and the date of discovery;
- a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);
- the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;
- a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and
- any other details available to Business Associate that may be necessary for Client to comply with the HIPAA Breach Notice Rule
Client will be responsible for providing notification to Individuals whose Unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HIPAA Breach Notice Rule. In the event that a Breach of Unsecured PHI occurs as a result of actions by Client or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Client’s Breach analysis procedures, including risk assessment and determination of the extent of access of such Unsecured PHI, at the written request of the Client or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then-current rates.
The Parties agree that this section satisfies any notice requirements of Business Associate to Client of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Client shall be required. For purposes of this Business Associate Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.
2.8 Access. Business Associate agrees to provide access, at the request of Client, and in a time and manner mutually agreed upon by Client and Business Associate, to Protected Health Information in a Designated Record Set, to Client or, as directed by Client, to an Individual. Business Associate may charge Client or Individual for the actual labor cost involved in providing such access. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by 45 C.F.R. § 164.524. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the Client or the applicable Individual, as directed by Client.
2.9 Restrictions. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to 45 C.F.R. § 164.522 of the HIPAA Privacy Rule to which Client has agreed and of which Business Associate is notified by Client in writing, unless otherwise required by law or for emergency purposes.
2.10 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set in accordance with 45 C.F.R. § 164.526 that Client directs or agrees to implement, upon written request of Client.
2.11 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Client, available to the Secretary in a time and manner designated by the Secretary, for the purposes of the Secretary in determining the Parties’ compliance with HIPAA and any corresponding regulations.
2.12 Accounting. Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by 45 C.F.R. § 164.528. The accounting shall be made within a reasonable amount of time, mutually agreed upon by Client and Business Associate, upon receipt of a written request from Client.
2.13 Minimum Necessary. Business Associate agrees to limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
Obligations of Client
3.1 Notice of Privacy Practices of Client. Client shall provide Business Associate with the notice of privacy practices that Client produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.
3.2 Restrictions in Use of PHI. Client shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information to which Client has agreed, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
3.3 Changes in the Use of PHI. Client agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate’s use or disclosure of PHI.
3.4 Appropriate Requests. Except as otherwise provided in this Business Associate Agreement, Client will not ask Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Client.
3.5 Minimum Necessary, Client shall disclose only the minimum amount of PHI necessary for Business Associate to provide the services and will assist Business Associate in meeting the minimum necessary principle as required by HIPAA and this Business Associate Agreement.
3.6 Consents. Client shall obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Client.
Term and Termination
4.1 Term. The Term of this Business Associate Agreement shall be effective as of the Effective Date of the Services Agreement and shall terminate when all of the Protected Health Information provided by Client to Business Associate, or created or received by Business Associate on behalf of Client, is destroyed or returned to Client, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.
4.2 Termination for Cause. Upon either Party’s determination that the other Party has committed a material breach of this Business Associate Agreement, the non- breaching Party may take one of the following steps:
- Provide an opportunity for the breaching Party to cure the material breach or end the violation, and if the breaching Party does not cure the material breach or end the violation within a reasonable time to be mutually agreed upon by the Parties, terminate this Business Associate Agreement; or
- Immediately terminate this Business Associate Agreement if the other Party has committed a material breach of this Agreement and cure of the material breach is not possible.