Terms of Use

  1. ACCEPTANCE OF TERMS AND CONDITIONS

    These Terms and Conditions govern Your (“You”) purchase of a Subscription Service (the “Subscription Service”) providing access to and use of Recode Health’s web services and mobile application services, together with all related interfaces, functionality, supplements, add-on components, enhancements, updates, new versions or releases that Recode Health may make available (collectively, the “Subscription Service”) for Your end users. These Terms and Conditions (including Your corresponding Partner Service Plan (“the “PSP Service Plan”) and/or Client Service Plan (the “CSP Agreement”), the Recode Health Terms of Use, the Recode Health Privacy Policy, and all policies and guidelines referenced in these Terms and Condition (and any modifications that may be made to the preceding list of agreements) constitute a legally binding agreement between You and Recode Health, LLC (“Recode Health,” “we,” “us,” and “our”). References in this Agreement to the “Partner Service Plan Agreement” and the “Client Service Plan Agreement” shall include any prior versions of these agreements, regardless of naming conventions previously used. This includes, but is not limited to, agreements formerly titled [Implementation Form, e.g., “Platform Agreement,” “Client Agreement,” or “Implementation Form”], provided such agreements govern or governed the relationship between Recode and the Partner or Client. Any such prior agreements shall be considered functionally equivalent for purposes of interpretation and enforcement of these Terms and Conditions.


    MODIFICATION OF TERMS AND CONDITIONS

    We reserve the right to modify these Terms and Conditions at any time and in any manner at our sole discretion by: (a) posting a revision on the Site; or (b) sending information regarding the amendment to the email address You provide to us. BY CONTINUING TO USE OUR SERVICES FOR MORE THAN 20 DAYS AFTER AMENDMENTS HAVE BEEN POSTED OR INFORMATION REGARDING AMENDMENTS HAS BEEN SENT TO YOU, YOU AGREE TO ACCEPT THE AMENDMENTS. You agree that we will not be liable to You for any modification of the Terms and Conditions.


    DEFINITIONS

     “Account” means a unique account established by You to enable Your Authorized Users to access and use the Subscription Service.


     “Agreement” means the signed, written agreement between You and Recode Health pursuant to which you obtain rights to use the Subscription Service and receive Professional Services from Recode Health. The Agreement includes these Terms and Conditions, as well as any applicable Service Plan relating to Professional Services.


     “Authorized User” means any employee or agent of You, identified by a unique email address and username, who is registered under the Account, provided that no two persons may register, access or use the Subscription Service as the same Authorized User.


     “Professional Services” means Professional Services provided by Recode Health to You.


     “License” means an active Authorized User listed in the membership of an Account at any one time. No two individuals may log onto or use the Subscription Service as the same Authorized User, but You may unregister or deactivate Authorized Users and replace them with other Authorized Users without penalty, so long as the number of active Authorized Users registered at any one time is equal to or less than the number of Licenses purchased.


     “Service Plan” means the right to access and use the Subscription Service for a specified period in exchange for a periodic fee, subject to any Service Plan restrictions and requirements that are used to describe the selected Service Plan. Restrictions and requirements may include any or all the following: (a) number of Licenses that You may use in a month or year for a fee; (b) per-license or per-user restrictions; (c) the license to use Recode Health software products in connection with the System; and (e) per use fees.


     “Subscription Service” means Recode Health’s web services and mobile application services, together with all related interfaces, functionality, supplements, add-on components, enhancements, updates, new versions or releases that Recode Health may make available.


     “System” refers to the software systems and programs, communication and network facilities, and hardware and equipment used by Recode Health or its agents to provide the Subscription Service.


     “Term” means the period of effectiveness of these Terms and Conditions, as specified in Section 13.1 below.


     “Transaction Data” means the metadata associated with Your Account (such as transaction history and search history) and maintained by Recode Health to establish the digital audit trail required by the Subscription Service.


    SUBSCRIPTION SERVICE

    During the term of the Service Plan and subject to these Terms and Conditions, You will have the right to obtain an Account and register Your Authorized Users, who may access and use the Subscription Service. You must be 12 years of age or older to register for an Account and use the Subscription Service. Your right to access and use the Subscription Service is limited to Your Authorized Users, and You agree not to resell or otherwise provide or assist with the provision of the Subscription Service to any third party. In addition, Recode Health’s provision of the Subscription Service is conditioned on Your acknowledgment and agreement to the following: 


    The content available through the Subscription Service does not constitute an employee health plan and does not replace or supplement any form of insurance coverage that You make available to Your employees.


    The content provided through the Subscription Service is for informational and educational purposes only. The provision of this content does not create a medical professional/patient relationship between Your Authorized Users and Recode Health, or Your Authorized Users and any health care professional whose content appears on the Subscription Service. Nor does the provision of content constitute an opinion, medical advice, or diagnosis or treatment of any medical condition.


    The provision of the Subscription Services does not satisfy any legal or contractual obligation You may have to provide health care or health insurance to any of Your employees, including Your Authorized Users. You are solely responsible for understanding and fulfilling Your legal obligations to Your employees.

    Optional content provided by AI is generated for informational purposes only and is not legally binding. It is universally understood and accepted that AI may produce errors or inaccuracies, and no information provided should be construed as legal, financial, medical, or professional advice.


    Scope of Use


    Subject to the terms of the PSP or CSP Agreement, the user will granted a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Services solely for its internal business operations and in accordance with the applicable Service Plan. Use of the Services is limited to the number of users, licenses, or other usage metrics specified in the Partner Service Plan or Client Service Plan Agreement.

    The Customer shall not:

    Rent, sell, lease, sublicense, or otherwise make the Services available to any third party;

    Use the Services for the benefit of any third party, including as part of a service bureau or timeshare arrangement;

    Reverse engineer, decompile, or attempt to derive the source code of the Services;

    Interfere with or disrupt the integrity or performance of the Services;

    Use the Services in violation of any applicable law, regulation, or third-party rights.


    ACCESS LIMITS

    Your and Your Authorized Users use of the Subscription Service is at all times governed by its Terms of Use.


    RESPONSIBILITY FOR USE OF THE SUBSCRIPTION SERVICE

    As between You and us, You are solely responsible for the acts of Your Authorized Users while accessing and using the Subscription Service. You will not use or permit the use of the Subscription Service: (i) to communicate any message or material that is defamatory, harassing, libelous, threatening, or obscene; (ii) in a way that violates or infringes upon the intellectual property rights or the privacy or publicity rights of any person or entity or that may otherwise be unlawful or give rise to civil or criminal liability; (iii) in any manner that is likely to damage, disable, overburden, or impair the System or the Subscription Service or interfere with the use or enjoyment of the Subscription Service by others; or (iv) in any way that constitutes or encourages conduct that could constitute a criminal offense.


    THIRD-PARTY SERVICES and LINKS DISCLAIMER

    We may provide, or third parties may provide, links to other Web sites or resources that are beyond our control. We make no representations as to the quality, suitability, functionality, or legality of any sites to which links may be provided, and You hereby waive any claim You might have against us with respect to such sites. RECODE HEALTH IS NOT RESPONSIBLE FOR THE CONTENT ON THE INTERNET OR WEB PAGES THAT ARE CONTAINED OUTSIDE THE SITE. Your correspondence or business dealings with, or participation in promotions of, advertisers or partners found on or through the Site, including payment and delivery of related goods or services, and any other terms, conditions, warranties, or representations associated with such dealings, are solely between You and such advertiser or partner. You agree that we are not responsible or liable for any loss or damage of any sort incurred as the result of any such dealings or as the result of the presence of such advertisers or partners on the Site.



    DATA RETENTION POLICY

    Recode Health will retain data for as long as it has a business purpose to do so and/or in compliance with all data retention laws applicable to You.


    SMS

    By registering with the app, the user is consenting to receive SMS messages regarding instructions or updates for logging in (OTP). Users may stop these communications at any point by replying STOP to any SMS message they receive or reaching out to their employers and asking to not utilize these services. Msg frequency varies. Msg & data rates may apply.


    REDEMPTION

    Company is responsible to pay for all employee rewards redemption outside of the standard set redemption practices set by Recode Health.



    DEPOSITS, SERVICE LIMITS, CREDIT REPORTS, AND RETURN OF BALANCES

    You authorize us to ask consumer reporting agencies or trade references to furnish us with employment and credit information, and You consent to our rechecking and reporting personal and/or business payment and credit history if, in our sole discretion, we so choose. If You believe that we have reported inaccurate information about Your account to a consumer reporting agency, You may send a written notice describing the specific inaccuracy to the address provided in the Notices section below.


    TERM AND TERMINATION

    The Term for each Client will be in accordance with the applicable Service Plan and can be terminated in accordance with the applicable Service Plan.


    For any termination, You will be responsible for payment of all fees and charges through the end of the billing cycle in which termination occurs. 

    Upon expiration or termination of the Service Plan Agreement for any reason, you acknowledge and agree that, unless the parties have otherwise previously agreed in writing or Recode Health is otherwise required by law to do so, Recode Health is not obligated to retain any Client Data for longer than thirty (30) days after the date of expiration or termination and Client authorizes Recode Health to permanently delete all Client Data that remains in Recode Health’s possession or control  at the end of such 30 day period.  Client shall be solely responsible for downloading all Client Data and complying with all data retention laws applicable to Client.


    You will be in default of these Terms and Conditions if You: (a) fail to pay any amount owed to us; (b) have amounts still owing to us from a prior account; (c) breach any provision of these Terms and Conditions; (d) violate any policy applicable to the Subscription Service; (e) are subject to any proceeding under the Bankruptcy Code or similar laws; or (f) if, in our sole discretion, we believe that Your continued use of the Subscription Service presents a threat to the security of other users of the Subscription Service. If You are in default, we may, without notice to You, suspend Your Account and use of the Subscription Service, withhold refunds and terminate Your Account, in addition to all other remedies available to us. We may require reactivation charges to reactivate Your Account after termination or suspension. The following provisions will survive the termination of these Terms and Conditions and Your Account: Sections 9-33.


    SUBSCRIBER WARRANTIES

    You hereby represent and warrant to Recode Health that: 

        You have all necessary rights and authority to use the Subscription Service under these Terms and Conditions and to grant all applicable rights herein; 

    The performance of Your obligations under these Terms and Conditions will not violate, conflict with, or result in a default under any other agreement, including confidentiality agreements between You and third parties; 

    You will use and authorize Your Authorized Users to use the Subscription Service for lawful purposes only and subject to these Terms and Conditions; 

    You are responsible for all use of the Subscription Service in Your Account; 

    You are solely responsible for maintaining the confidentiality of Your Account names and password(s); 

    You agree to immediately notify us of any unauthorized use of Your Account of which You become aware; 

    You agree that Recode Health will not be liable for any losses incurred as a result of a third party’s use of Your Account, regardless of whether such use is with or without Your knowledge and consent; 

    You will not use the Subscription Service in any manner that could damage, disable, overburden or impair the System, or interfere with another’s use of the Subscription Service; 

    Any information submitted to Recode Health by You is true, accurate, and correct; and

    You will not attempt to gain unauthorized access to the System or the Subscription Service, other accounts, computer systems, or networks under the control or responsibility of Recode Health through hacking, cracking, password mining, or any other unauthorized means.


    DISCLAIMER OF WARRANTIES

    THE SUBSCRIPTION SERVICE AND THE PROFESSIONAL SERVICES ARE PROVIDED “AS IS”. WE MAKE NO EXPRESS OR IMPLIED WARRANTIES OR GUARANTEES ABOUT THE SUBSCRIPTION SERVICE OR THE PROFESSIONAL SERVICES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE HEREBY DISCLAIM ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT INFORMATION OR RESULTS OBTAINED FROM THE USE OF THE SUBSCRIPTION SERVICE OR THE PROFESSIONAL SERVICES WILL BE EFFECTIVE, RELIABLE OR ACCURATE OR WILL MEET YOUR REQUIREMENTS. WE DISCLAIM ALL WARRANTIES WITH RESPECT TO THIRD PARTY CONTENT ON THE SUBSCRIPTION SERVICE. WE MAKE NO WARRANTIES ABOUT THE INFORMATION SYSTEMS, SOFTWARE AND FUNCTIONS MADE ACCESSIBLE THROUGH THE SUBSCRIPTION SERVICE OR ANY OTHER SECURITY ASSOCIATED WITH THE TRANSMISSION OF SENSITIVE INFORMATION. WE DO NOT WARRANT THAT THE SUBSCRIPTION SERVICE WILL OPERATE ERROR-FREE, THAT LOSS OF DATA WILL NOT OCCUR, OR THAT THE SUBSCRIPTION SERVICE OR SOFTWARE ARE FREE OF COMPUTER VIRUSES, CONTAMINANTS OR OTHER HARMFUL CODE. YOUR ONLY REMEDY FOR DEFECTIVE PROFESSIONAL SERVICES WILL BE THAT RECODE HEALTH WILL, AT ITS OPTION, REPAIR OR REPLACE ANY DEFECTIVE DELIVERABLES PROVIDED THROUGH OUR PROFESSIONAL SERVICES OR ISSUE A REFUND FOR MONIES PAID FOR THE DEFECTIVE SERVICES.


    RECODE HEALTH WARRANTIES

    Recode Health represents and warrants that: 

    The performance of our obligations under these Terms and Conditions will not violate, conflict with, or result in a default under any other agreement, including confidentiality agreements between us and third parties; 

     The Subscription Service will work in accordance with the Documentation provided by us in their then-current form at the time of the provision of such Subscription Service; and 

     Recode Health has implemented information security policies and safeguards to preserve the security, integrity, and confidentiality of content that You and Your Authorized Users submit to the Subscription Service.


    SUBSCRIBER INDEMNIFICATION OBLIGATIONS

    Each party will defend, indemnify, and hold us, our affiliates, officers, directors, employees, suppliers, consultants, and agents harmless from any and all third party claims, liability, damages, and costs (including, but not limited to, attorneys’ fees) arising from or related to: (a) its use or provision of the Subscription Service and the deliverables from Recode Health’s Professional Services; (b) its violation of these Terms and Conditions; (c) its infringement of any intellectual property or other right of any person or entity.


    LIMITATIONS OF LIABILITY

    IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ANYONE ELSE FOR ANY DECISION MADE OR ACTION TAKEN BY IN RELIANCE ON THE SUBSCRIPTION SERVICE. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY DISCLAIMS LIABILITY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, RELIANCE, OR CONSEQUENTIAL DAMAGES, (ii) LOSS OF PROFITS, (iii) BUSINESS INTERRUPTION, (iv) REPUTATIONAL HARM, OR (v) LOSS OF INFORMATION OR DATA. THESE EXCLUSIONS APPLY TO ANY CLAIMS FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, ANY OTHER COMMERCIAL DAMAGES OR LOSSES, OR MEDICAL MALPRACTICE OR NEGLIGENCE OF HEALTH CARE PROVIDERS UTILIZED THROUGH USE OF THE SUBSCRIPTION SERVICE, EVEN IF IT KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, UNDER NO CIRCUMSTANCES WILL RECODE HEALTH’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO THE SUBSCRIPTION SERVICE (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EXCEED THE TOTAL AMOUNT PAID BY YOU TO RECODE HEALTH UNDER THESE TERMS AND CONDITIONS DURING THE 12 MONTHS PRECEDING THE DATE OF THE ACTION OR CLAIM. RECODE HEALTH’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO OUR PROFESSIONAL SERVICES WILL BE CAPPED AT THE AMOUNT ACTUALLY PAID BY YOU FOR THE AFFECTED SERVICES.


    CONFIDENTIALITY

    “Confidential Information” means any confidential, proprietary and trade secret information of Recode Health that is disclosed to or made available to You. Confidential Information does not include any information that: (a) was rightfully known to You prior to receiving it from Recode Health; (b) is independently developed by You without use of or reference to any Confidential Information; (c) is rightfully acquired by You from another source without restriction as to use or disclosure; or (d) is or becomes publicly known through no fault or action of You. During and after the Term of these Terms and Conditions, You will: (i) use the Confidential Information solely for the purpose for which it is provided; (ii) not disclose such Confidential Information to a third party; and (iii) protect such Confidential Information from unauthorized use and disclosure to the same extent that You protect Your own Confidential Information of a similar nature (but no less than reasonable care under the circumstances).

    If You are required by law to disclose the Confidential Information, You must give prompt written notice of such requirement before such disclosure and assist the Recode Health in obtaining an order protecting the Confidential Information from public disclosure. You acknowledge that, as between You and us, all Confidential Information You receive from Recode Health, including all copies, is proprietary to and exclusively owned by Recode Health.


    PRIVACY

    Personal information provided or collected through or in connection with this Site will only by used in accordance with Recode Health’s Privacy Policy. These Terms and Conditions are subject to the Privacy Policy on Recode Health’s website https://www.onestrive.com/privacy-policy/ and linked to the Subscription Service, which sets forth the terms and conditions governing Recode Health’s collection and use of personal information from Authorized Users.


    INTELLECTUAL PROPERTY

    Recode Health is the owner of various intellectual property and technology rights associated with the Subscription Service and the Professional Services. Except for the rights expressly granted in the Agreement, Recode Health does not transfer to You or any Authorized User any of Recode Health’s technology or other intellectual property or technology rights. All right, title, and interest in and to Recode Health’s technology and intellectual property will remain solely with the Recode Health. You agree that You will not, directly or indirectly, reverse engineer, decompile, disassemble, or otherwise attempt to derive source code or other trade secrets from the Subscription Service or Recode Health’s technology. Recode Health agrees that data and information provided by You under these Terms and Conditions will remain, as between You and Recode Health, owned by You.


    FEEDBACK

    If You choose to provide us with any feedback, suggestions, or similar communications (collectively, “Feedback”), You grant to Recode Health a perpetual, sublicensable, assignable, unrestricted, worldwide, royalty-free, fully paid-up, irrevocable license, under all of Your intellectual property rights, to use, reproduce, display, perform, modify, create derivative or collective works and distribute Your Feedback, and any of our products or services embodying Your Feedback, in any manner we choose, without reference to the source.


    INDEPENDENT CONTRACTORS

    Recode Health will be and act as an independent contractor (and not as the agent or representative of You) in the performance of these Terms and Conditions. These Terms and Conditions will not be interpreted or construed as: (a) creating or evidencing any association, joint venture, partnership, or franchise between the parties; (b) imposing any partnership or franchise obligation or liability on either party; (c) prohibiting or restricting either party’s performance of any services for any third party; or (d) establishing or as a foundation for any rights or remedies for any third party, whether as a third party beneficiary or otherwise. You must not represent to anyone that You is an agent of Recode Health or is otherwise authorized to bind or commit Recode Health in any way without Recode Health’s prior authorization.



    ASSIGNMENT

    You may not assign its rights, duties, or obligations under these Terms and Conditions without Recode Health’s prior written consent. If consent is given, these Terms and Conditions will bind Your successors and assigns. Any attempt by You to transfer its rights, duties, or obligations under these Terms and Conditions except as expressly provided in these Terms and Conditions is void. Recode Health may freely assign its rights, duties, and obligations under these Terms and Conditions. Recode Health may utilize a subcontractor or other third party to perform its duties under these Terms and Conditions so long as: (a) Recode Health will not be relieved of any responsibilities or obligations under these Terms and Conditions that are performed by the subcontractor or third party; and (b) Recode Health will remain Your sole point of contact and sole contracting party.


    NOTICE

    Any notice required or permitted to be given in accordance with these Terms and Conditions will be effective if it is in writing and sent by email, certified or registered mail, or insured courier, return receipt requested. Notices to You will be sent to the address You provided in Your Service Plan, unless You notify us of another address in writing. 


    FORCE MAJEURE

    Neither party will be liable for, or be considered to be in breach of or default under these Terms and Conditions on account of, any delay or failure to perform as required by these Terms and Conditions as a result of any cause or condition beyond such party’s reasonable control, so long as such party uses all commercially reasonable efforts to avoid or remove such causes of non-performance or delay.


    CHOICE OF LAW

    Delaware law will govern these Terms and Conditions and any dispute between You and Recode Health, without regard to conflict of law principles. You irrevocably submit to the exclusive personal jurisdiction of the State and Federal courts of Delaware over all disputes arising through or resulting from these Terms of Use and waive all objections to that jurisdiction and venue. 


    ARBITRATION

    This agreement requires the use of arbitration to resolve disputes, rather than jury trials. 


    CLIENT AND RECODE HEALTH ARE AGREEING TO GIVE UP ANY RIGHTS TO LITIGATE CLAIMS IN A COURT OR BEFORE A JURY. OTHER RIGHTS THAT CLIENT WOULD HAVE IF CLIENT WENT TO COURT MAY ALSO BE UNAVAILABLE OR MAY BE LIMITED IN ARBITRATION.  ANY CLAIM, DISPUTE OR CONTROVERSY (WHETHER IN CONTRACT, TORT OR OTHERWISE, WHETHER PRE-EXISTING, PRESENT OR FUTURE, AND INCLUDING STATUTORY, CONSUMER PROTECTION, COMMON LAW, INTENTIONAL TORT, INJUNCTIVE AND EQUITABLE CLAIMS) BETWEEN CLIENT AND RECODE HEALTH ARISING FROM OR RELATING IN ANY WAY TO CLIENT’S SUBSCRIPTION TO, ACCESS TO, OR USE OF THE SYSTEM WILL BE RESOLVED EXCLUSIVELY AND FINALLY BY BINDING ARBITRATION.


    The arbitration will be administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules and Mediation Procedures (“Commercial Rules”). The arbitrator will have exclusive authority to resolve any dispute relating to arbitrability and/or enforceability of this arbitration provision, including any unconscionability challenge or any other challenge that the arbitration provision or the agreement is void, voidable or otherwise invalid. The arbitrator will be empowered to grant whatever relief would be available in court under law or in equity. Any award of the arbitrator(s) will be final and binding on each of the parties, and may be entered as a judgment in any court of competent jurisdiction.


    If any provision of this arbitration agreement is found unenforceable, the unenforceable provision will be severed, and the remaining arbitration terms will be enforced.


    EFFECT OF WAIVER

    The waiver by either party of any breach of any provision of the Agreement does not waive any other breach. The failure of any party to insist on strict performance of any covenant or obligation in accordance with the Agreement will not be a waiver of such party’s right to demand strict compliance in the future, nor will the same be construed as a novation of the Agreement.


    SEVERABILITY

    If any part of these Terms and Conditions is found to be illegal, unenforceable, or invalid, the remaining portions of these Terms and Conditions will remain in full force and effect. If any material limitation or restriction on the grant of any license to You under these Terms and Conditions is found to be illegal, unenforceable, or invalid, the license will immediately terminate.


    ENTIRE AGREEMENT; AMENDMENTS

    Except as set forth in Section 2 of these Terms and Conditions, these Terms and Conditions may not be amended except in writing signed by both You and us. These Terms and Conditions are the final and complete expression of the agreement between these parties regarding the Subscription Service. These Terms and Conditions supersede, and the terms of these Terms and Conditions govern, all previous oral and written communications regarding these matters.


    NON-DISPARAGEMENT

    During and after the term of this agreement, neither party shall make any disparaging statements, either oral or written, about the other party, its products, services, employees, or business practices, to any third party, including but not limited to customers, vendors, business partners, or the general public.


    PUBLICITY

    Recode Health may use Company’s name to identify Company as a customer of Recode Health in any communications medium, including press releases, print advertising and broadcast or web-based communications, Recode Health lists or links to Recode Health’s web site, without the prior written consent of Company.  All other uses shall require the prior written consent of the Company. 

Exhibit B

HIPAA BUSINESS ASSOCIATE AGREEMENT

RECODE HEALTH, LLC.
and
Your Company

This HIPAA Business Associate Agreement (the “BAA”) is made and entered into by and between your company, on behalf of itself and all of its affiliates (collectively “ “Covered Entity”) and Recode Health, LLC (“Business Associate,” as defined in HIPAA, defined below) beginning as of the date of the Client Service Plan or Partner Service Plan Agreement (“Begin Date”). It supplements and is made a part of all agreements, oral or written, including any past engagement for which Business Associate retains PHI (defined in paragraph 1(d) below), any current engagement and any future engagement (collectively the “Agreement”), by and between Covered Entity and Business Associate.

RECITALS
A. Under the above Agreement, Business Associate has access to data which may include both Protected Health Information (“PHI,” defined below) and non-PHI disclosed or made available by or on behalf of Covered Entity to Business Associate.
B. Covered Entity and Business Associate are required to comply with the Health Insurance Portability and Accountability Act (“HIPAA,” defined below) and other laws which protect the privacy and security of patients’ PHI.
C. HIPAA requires the parties to enter into a contract containing specific requirements to protect the security and privacy of patients’ PHI.
In consideration of the foregoing and the mutual promises and exchange of information pursuant to this Agreement, the parties agree to amend the Agreement by incorporating all of the following into the Agreement:

1. General Provisions, Including Definitions. The recitals are incorporated by reference into this BAA. This BAA is intended to apply all services provided to Covered Entity by Business Associate, as of the Begin Date, whether or not such engagement has been reduced to writing, and supersedes any form of business associate agreement, exhibit or provision that the parties may have heretofore entered into. In this BAA, Covered Entity shall have all the rights, duties and obligations of the “Covered Entity” as defined under HIPAA (defined below), and Business Associate shall have all the rights, duties and obligations of the “Business Associate” as defined under HIPAA (defined below). All capitalized terms not defined herein shall have the meaning ascribed to them by HIPAA (defined below), including Business Associate, Covered Entity, Data Aggregation and Designated Record Set.

(a) “Breach” shall mean the unlawful or unauthorized access to, viewing, acquisition, use or disclosure of PHI that compromises the security or privacy of said PHI.

(b) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-005) and the rules, guidance and regulations promulgated thereunder, as amended from time to time, including 45 Code of Federal Regulations, Parts 160 and 164.

(c) “Patient” shall have the same meaning as the term “individual” under HIPAA and shall include a person who qualifies as a personal representative.

(d) “Protected Health Information” (“PHI”) shall have the meaning given to such term under HIPAA and shall include any information, whether oral or recorded in any form or medium, limited to the information created or received by Business Associate from or on behalf of Covered Entity (i) that relates to the past, present or future physical or mental health condition of the patient, the provision of health care to patient, or the past, present or future payment for the provision of health care to patient; and (ii) that identifies the patient or with respect to which there is a reasonable basis to believe the information can be used to identify the patient.

(e) “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or her/his designee.

(f) “Security Incident” shall mean any accidental, malicious or natural act that: (i) Results in a Breach of any PHI or credit card information; or (ii) Materially adversely impacts the functionality of the Covered Entity network; or (iii) Permits unauthorized access to the Covered Entity network; or (iv) Involves the loss or loss of control of a Covered Entity owned or managed information technology resource; or (v) Involves the use of Covered Entity technology resources for illegal purposes or to launch attacks against other individuals or organizations; or (vi) Materially impacts the integrity of Covered Entity’s files or databases maintained on the Covered Entity network including, but not limited to: (1) interface failures; (2) inadequate testing or change control procedures; or (3) other failures which result in the deletion or unauthorized changes to an electronic database. A “Security Incident” shall not include any attempted access of system operations in an information system by a Packer Internet Groper (PING) program.

(g) “State” shall mean the state in which the Covered Entity is located.

(h) “Subpart E” shall mean 45 Code of Federal Regulations, Part 164, Subpart E, which consists of Sections 164.500 et seq., as amended from time to time.

2. Permitted Uses and Disclosures by Business Associate

(a) For Covered Entity. Except as otherwise limited in the Agreement and this BAA, Business Associate (i) shall create, maintain, transmit, access, use or disclose PHI only for the benefit of Covered Entity and to perform functions, activities, or services as specified in the Agreement, and (ii) shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

(b) Minimum Necessary. Business Associate shall use only the minimum amount of PHI necessary to perform the specified functions, activities or services, in accordance with Covered Entity’s minimum necessary policies and procedures. In the event of inadvertent access by Business Associate to more than the minimum necessary amount of Covered Entity’s PHI, Business Associate will: (i) treat all such PHI in accordance with the Agreement and this BAA; (ii) promptly notify Covered Entity, in accordance with paragraph 3(d) below, of such access; (iii) erase, delete, and/or return such PHI as quickly as possible; and (iv) take all necessary actions to prevent further unauthorized access to PHI beyond the minimum necessary amount.

(c) Management of Business Associate. Except as otherwise limited in the Agreement or this BAA, Business Associate may use or disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided that (i) the disclosure is required or permitted by law, or (ii) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that such information shall remain confidential and be used or further disclosed solely as required by law or for the purpose of assisting Business Associate to meet Business Associate’s obligations under the BAA. Business Associate shall require any person to whom PHI is disclosed under this subsection to notify Business Associate of any instance of which it is aware in which the confidentiality or security of the PHI has been breached. Notwithstanding the foregoing, Business Associate may de-identify PHI in accordance with 45 C.F.R. 164.514(a)-(c).

(d) Data Aggregation. Except as otherwise permitted in the Agreement and this BAA, Business Associate may use PHI to provide Data Aggregation services.

(e) Compliance with State Laws. Business Associate may use, disclose and access PHI only as permitted by State law, unless such State law is contrary to HIPAA and is preempted by HIPAA in accordance with 45 Code of Federal Regulations Sections 160.201 et seq.

3. Obligations of Business Associate

(a) Use. Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement, this BAA or as required by law.

(b) Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Agreement and this BAA. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, security, integrity and availability of PHI that it receives, maintains, transmits or creates on behalf of Covered Entity and that comply with the requirements of HIPAA. In addition, if Business Associate conducts credit card transactions (i) such safeguards shall consist of or include the recommendations of the Payment Card Industry Data Security Standards, found at https://www.pcisecuritystandards.org and (ii) Business Associate shall not store security code (i.e. CVC) information or credit card magnetic strip information in any form.

(c) Mitigation. Business Associate shall promptly mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the Agreement and this BAA.

(d) Notify Covered Entity. Business Associate shall promptly notify Covered Entity of any Security Incident or Breach in writing in the most expedient time possible, and not to exceed five business days in the event of a Breach, following Business Associate’s initial awareness of such Security Incident or Breach. Notwithstanding any notice provisions in the Agreement, such notice shall be made to the Covered Entity Chief Privacy Official or his/her designee by means of fax or by email. Business Associate shall cooperate in good faith with Covered Entity in the investigation of any Breach or Security Incident. Notwithstanding anything to the contrary in this BAA, the parties agree that this Section 3(d) satisfies notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below), for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” include pings, broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service or any combination of the above, so long as no such incident results in a Breach.

(e) Breach Notification. Following notification to Covered Entity of a Breach, Business Associate shall promptly cooperate with Covered Entity in determining which entity shall provide any required Breach notification. If the parties agree that Business Associate shall provide any required Breach notification, Business Associate shall provide such notification timely and provide Covered Entity with documentation of Business Associate’s actions, including documentation of the names and addresses of those to whom the notifications were provided.

(f) Access. If Business Associate holds PHI in Designated Record Sets as determined by Covered Entity, Business Associate shall provide prompt access to the PHI to Covered Entity whenever so requested by Covered Entity, or, if directed by Covered Entity, to a Patient in order to meet the requirements of HIPAA and State Law, as applicable. If requested, such access shall be in electronic format. If Patient requests directly from Business Associate (i) to inspect or copy his or her PHI, or (ii) requests its disclosure to a third party, the Business Associate shall promptly notify Covered Entity’s facility privacy official of such request.

(g) Amendments. Business Associate shall promptly make amendment(s) to PHI requested by Covered Entity and shall do so in the time and manner requested by Covered Entity to enable it to comply with HIPAA and State Law, as applicable. If Patient requests an amendment to his or her PHI, directly from Business Associate, the Business Associate shall promptly notify Covered Entity’s facility privacy official of such request and await such official’s denial or approval of the request.

(h) Internal Records. Business Associate shall promptly make its internal practices, books, records, including its policies and procedures, relating to the use, disclosure, or security of PHI that the Business Associate received from, maintained or created for or on behalf of Covered Entity, available to the Secretary to enable the Secretary to determine compliance with HIPAA.

(i) Accountings. Business Associate shall document all disclosures of PHI and information related to such disclosures as required under HIPAA in order that it may provide an accounting of such disclosures as Covered Entity directs. Business Associate shall: (i) Provide an accounting as required under HIPAA to those Patients who direct their requests to Business Associate; or (ii) Provide the accounting information required under HIPAA to Covered Entity, if so requested by Covered Entity, in the time and manner specified by Covered Entity.

(j) Preservation. Business Associate shall cooperate with Covered Entity and its medical staff to preserve and protect the confidentiality of PHI accessed or used pursuant to the Agreement and shall not disclose or testify about such information during or after the termination of the Agreement, except as required by law.

(k) Destruction. If, during the term of the Agreement, Business Associate wishes to destroy the PHI, it shall notify Covered Entity in writing about its intent to destroy data at least ten (10) days before such date of destruction, and shall comply with the requirements for destruction of PHI found in Section 5(a) of this BAA. If Covered Entity requests the return of any PHI, Business Associate shall comply as requested.

(l) HIPAA Compliance. Business Associate shall comply with 45 Code of Federal Regulations Part 164, Subpart C with respect to electronic PHI. The written policies and procedures and documentation required to be maintained by Business Associate under the Agreement, this BAA and HIPAA shall be made available to Covered Entity, upon Covered Entity’s request.

(m) Subcontractors and International Access. Business Associate shall ensure that any agent, including a subcontractor or employee, who creates, receives, maintains, or transmits Protected Health Information (“PHI”) on behalf of the Covered Entity or the Business Associate agrees, by written contract or written employment agreement, to comply with the same restrictions, conditions, and safeguards that apply to the Business Associate with respect to such PHI.
Business Associate may permit access to, maintenance of, or transmission of PHI by employees or subcontractors located outside of the United States, including but not limited to employees located in India, provided that such access or use:
(i) Is limited to individuals who are authorized and trained to handle PHI in compliance with HIPAA and this Agreement;
(ii) Is subject to contractual obligations and privacy safeguards equivalent to those required under this Agreement and applicable law; and
(iii) Occurs only through secure, access-controlled systems that prevent unauthorized use or disclosure.
Business Associate shall remain fully responsible for any acts or omissions of its employees, agents, or subcontractors, including those located outside of the United States, that result in a use or disclosure of PHI not permitted under this Agreement.

4. Effect of Breach of Obligations. If Business Associate breaches any of its obligations, Covered Entity shall have the option to do the following:

(a) Cure. Provide Business Associate an opportunity to cure the breach, to the extent curable, and end the violation within thirty (30) days written notice by Covered Entity. If Business Associate does not cure the breach or end the violation as and within the time specified by Covered Entity, or if the breach is not curable, Covered Entity may terminate this BAA; or

(b) Termination. Immediately terminate the BAA, if Covered Entity reasonably determines that Business Associate (1) has acted with gross negligence in performing its obligations; (2) is in willful violation of applicable law; (3) willfully has violated or is violating the privacy and security provisions of this BAA or HIPAA; or (4) is unable to provide, if requested, written assurances to Covered Entity of its ability to protect the confidentiality and security of the PHI. Such termination of the Agreement shall be without prejudice to other legal remedies available to Covered Entity.

5. Effect of Termination

(a) Disposition of PHI. Upon termination of this BAA and subject to Section 5(b) below, Business Associate shall promptly return to Covered Entity a copy of all PHI, including derivatives thereof (which for clarity does not include de-identified information), and shall take all reasonable steps to promptly destroy all other PHI held by Business Associate by: (i) shredding; (ii) securely erasing, or (iii) otherwise modifying the information in those records to make it unreadable or undecipherable through any means. This provision shall apply to PHI in the possession of subcontractors or agents of Business Associate. At Covered Entity’s request, Business Associate shall certify in writing that it has complied with the requirements of this Section.

(b) Infeasible; Survival. If the return or destruction of PHI is infeasible, Business Associate shall promptly notify Covered Entity of the conditions that make such return or destruction infeasible. Upon mutual determination by the parties that return or destruction of PHI is infeasible, the obligations of the Business Associate under this Amendment shall survive the termination of this BAA. Business Associate shall limit the further use or disclosure of all PHI to the purposes that make its return or destruction infeasible. If Business Associate subsequently wishes to destroy PHI, Business Associate shall notify Covered Entity in writing about its intent to destroy data at least ten (10) days before such date of destruction, and shall comply with Section 5(a) above. If Covered Entity requests the return of any PHI, Business Associate shall comply as requested.

Amendment. The parties agree to promptly modify or amend this BAA to permit parties to comply with any new laws, rules or regulations that might modify the terms and conditions herein.

General. The Agreement, including this BAA and attachments hereto are intended to be construed in harmony with each other, but in the event that any provision in this BAA conflicts with the provisions of the Agreement, or its other attachments, the provisions in this BAA shall be deemed to control and such conflicting provision or part thereof shall be deemed removed and replaced with the governing provision herein to the extent necessary to reconcile the conflict, except that the insurance provisions of this BAA (if any) and the Agreement are to be read as separate, concurrent obligations such that Business Associate shall comply with each obligation and one shall not replace the other. Except as amended by this BAA, all other terms of the Agreement remain in full force and effect. This BAA supersedes and replaces all previous oral or written Business Associate agreements, amendments, or exhibits between Business Associate and Covered Entity pertaining to protection of PHI. This BAA may be signed in two or more counterparts, all of which taken together shall be deemed to be one BAA. Signatures submitted via facsimile or electronic (scanned) means shall be deemed original signatures of the parties and shall be valid and binding upon the parties hereto.


No Third Party Beneficiary. The provisions and covenants set forth in this BAA are expressly entered into only by and between Business Associate and Covered Entity, and are only for their benefit. Neither Business Associate nor Covered Entity intends to create or establish any third party beneficiary status or right (or the equivalent thereof) in any other third party and no such third party shall have any right to enforce or enjoy any benefit created or established by the provisions and covenants in this BAA.