1. ACCEPTANCE OF TERMS AND CONDITIONS
2. MODIFICATION OF TERMS AND CONDITIONS
We reserve the right to modify these Terms and Conditions at any time and in any manner at our sole discretion by: (a) posting a revision on the Site; or (b) sending information regarding the amendment to the email address You provide to us. BY CONTINUING TO USE OUR SERVICES FOR MORE THAN 20 DAYS AFTER AMENDMENTS HAVE BEEN POSTED OR INFORMATION REGARDING AMENDMENTS HAS BEEN SENT TO YOU, YOU AGREE TO ACCEPT THE AMENDMENTS. You agree that we will not be liable to You for any modification of the Terms and Conditions.
3.1 “Account” means a unique account established by You to enable Your Authorized Users to access and use the Subscription Service.
3.2 “Agreement” means the signed, written agreement between You and Recode Health pursuant to which you obtain rights to use the Subscription Service and receive Professional Services from Recode Health. The Agreement includes these Terms and Conditions, as well as Your Service Plan and any applicable Statements of Work relating to Professional Services.
3.3 “Authorized User” means any employee or agent of You, identified by a unique email address and user name, who is registered under the Account, provided that no two persons may register, access or use the Subscription Service as the same Authorized User.
3.4 “Professional Services” means Professional Services provided by Recode Health to You.
3.4 “Seat” means an active Authorized User listed in the membership of an Account at any one time. No two individuals may log onto or use the Subscription Service as the same Authorized User, but You may unregister or deactivate Authorized Users and replace them with other Authorized Users without penalty, so long as the number of active Authorized Users registered at any one time is equal to or less than the number of Seats purchased.
3.5 “Service Plan” means the right to access and use the Subscription Service for a specified period in exchange for a periodic fee, subject to any Service Plan restrictions and requirements that are used to describe the selected Service Plan on the RecodeHealth.com website (the “Site”). Restrictions and requirements may include any or all of the following: (a) number of Seats that You may use in a month or year for a fee; (b) per-seat or per-user restrictions; (c) the license to use Recode Health software products in connection with the Subscription Service; and (e) per use fees.
3.6 “Subscription Service” means Recode Health’s healthcare related mobile applications, as updated from time to time, which provide the ability to store and display insurance identification cards, as well as information regarding emergency services, health plans, local healthcare providers, drug pricing and common health related questions.
3.7 “System” refers to the software systems and programs, communication and network facilities, and hardware and equipment used by Recode Health or its agents to provide the Subscription Service.
3.8 “Term” means the period of effectiveness of these Terms and Conditions, as specified in Section 11 below.
3.9 “Transaction Data” means the metadata associated with Your Account (such as transaction history and search history) and maintained by Recode Health in order to establish the digital audit trail required by the Subscription Service.
4. SUBSCRIPTION SERVICE
During the term of the Service Plan and subject to these Terms and Conditions, You will have the right to obtain an Account and register Your Authorized Users, who may access and use the Subscription Service. You must be 18 years of age or older to register for an Account and use the Subscription Service. Your right to access and use the Subscription Service is limited to Your Authorized Users, and You agree not to resell or otherwise provide or assist with the provision of the Subscription Service to any third party. In addition, Recode Health’s provision of the Subscription Service is conditioned on Your acknowledgment and agreement to the following:
4.1 The content available through the Subscription Service does not constitute an employee health plan, and does not replace or supplement any form of insurance coverage that You make available to Your employees.
4.2 The content provided through the Subscription Service is for informational and educational purposes only. The provision of this content does not create a medical professional/patient relationship between Your Authorized Users and Recode Health, or Your Authorized Users and any health care professional whose content appears on the Services. Nor does the provision of content constitute an opinion, medical advice, or diagnosis or treatment of any medical condition.
4.3 The provision of the Subscription Services does not satisfy any legal or contractual obligation You may have to provide health care or health insurance to any of Your employees, including Your Authorized Users. You are solely responsible for understanding and fulfilling Your legal obligations to Your employees.
5. RESPONSIBILITY FOR USE OF THE SUBSCRIPTION SERVICE
As between You and us, You are solely responsible for the acts of Your Authorized Users while accessing and using the Subscription Service. You will not use or permit the use of the Subscription Service: (i) to communicate any message or material that is defamatory, harassing, libelous, threatening, or obscene; (ii) in a way that violates or infringes upon the intellectual property rights or the privacy or publicity rights of any person or entity or that may otherwise be unlawful or give rise to civil or criminal liability; (iii) in any manner that is likely to damage, disable, overburden, or impair the System or the Subscription Service or interfere with the use or enjoyment of the Subscription Service by others; or (iv) in any way that constitutes or encourages conduct that could constitute a criminal offense.
6. SUBSCRIBER SUPPORT
Recode Health will provide support to You as specified in the Service Plan selected by You. Details regarding our support are available at StriveBenefits.com.
7. TRANSACTION DATA STORAGE
Recode Health may retain Transaction Data for as long as it has a business purpose to do so.
8. DEPOSITS, SERVICE LIMITS, CREDIT REPORTS, AND RETURN OF BALANCES
You authorize us to ask consumer reporting agencies or trade references to furnish us with employment and credit information, and You consent to our rechecking and reporting personal and/or business payment and credit history if, in our sole discretion, we so choose. If You believe that we have reported inaccurate information about Your account to a consumer reporting agency, You may send a written notice describing the specific inaccuracy to the address provided in the Notices section below.
9. TERM AND TERMINATION
9.1 The term of these Terms and Conditions for each Client begins on the date You send us the eligibility file and can be terminated in accordance with the applicable SOW .
9.2 For any termination, You will be responsible for payment of all fees and charges through the end of the billing cycle in which termination occurs.
9.3 You will be in default of these Terms and Conditions if You: (a) fail to pay any amount owed to us; (b) have amounts still owing to us from a prior account; (c) breach any provision of these Terms and Conditions; (d) violate any policy applicable to the Subscription Service; (e) are subject to any proceeding under the Bankruptcy Code or similar laws; or (f) if, in our sole discretion, we believe that Your continued use of the Subscription Service presents a threat to the security of other users of the Subscription Service. If You are in default, we may, without notice to You, suspend Your Account and use of the Subscription Service, withhold refunds and terminate Your Account, in addition to all other remedies available to us. We may require reactivation charges to reactivate Your Account after termination or suspension. The following provisions will survive the termination of these Terms and Conditions and Your Account: Sections 3, 9-11, and 14-22.
10. SUBSCRIBER WARRANTIES
You hereby represent and warrant to Recode Health that: (a) You have all necessary rights and authority to use the Subscription Service under these Terms and Conditions and to grant all applicable rights herein; (b) the performance of Your obligations under these Terms and Conditions will not violate, conflict with, or result in a default under any other agreement, including confidentiality agreements between You and third parties; (c) You will use and authorize Your Authorized Users to use the Subscription Service for lawful purposes only and subject to these Terms and Conditions; (d) You are responsible for all use of the Subscription Service in Your Account; (e) You are solely responsible for maintaining the confidentiality of Your Account names and password(s); (f) You agree to immediately notify us of any unauthorized use of Your Account of which You become aware; (g) You agree that Recode Health will not be liable for any losses incurred as a result of a third party’s use of Your Account, regardless of whether such use is with or without Your knowledge and consent; (h) You will not use the Subscription Service in any manner that could damage, disable, overburden or impair the System, or interfere with another’s use of the Subscription Service; (i) any information submitted to Recode Health by You is true, accurate, and correct; and (j) You will not attempt to gain unauthorized access to the System or the Subscription Service, other accounts, computer systems, or networks under the control or responsibility of Recode Health through hacking, cracking, password mining, or any other unauthorized means.
11. RECODE HEALTH WARRANTIES
Recode Health represents and warrants that: (a) the performance of our obligations under these Terms and Conditions will not violate, conflict with, or result in a default under any other agreement, including confidentiality agreements between us and third parties; (b) the Subscription Service will work in accordance with the Documentation provided by us in their then-current form at the time of the provision of such Subscription Service; and (c) Recode Health has implemented information security policies and safeguards to preserve the security, integrity, and confidentiality of content that You and Your Authorized Users submit to the Subscription Service.
12. DISCLAIMER OF WARRANTIES
THE SUBSCRIPTION SERVICE AND THE PROFESSIONAL SERVICES ARE PROVIDED“AS IS”. WE MAKE NO EXPRESS OR IMPLIED WARRANTIES OR GUARANTEES ABOUT THE SUBSCRIPTION SERVICE OR THE PROFESSIONAL SERVICES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE HEREBY DISCLAIM ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT INFORMATION OR RESULTS OBTAINED FROM THE USE OF THE SUBSCRIPTION SERVICE OR THE PROFESSIONAL SERVICES WILL BE EFFECTIVE, RELIABLE OR ACCURATE OR WILL MEET YOUR REQUIREMENTS. WE DISCLAIM ALL WARRANTIES WITH RESPECT TO THIRD PARTY CONTENT ON THE SUBSCRIPTION SERVICE. WE MAKE NO WARRANTIES ABOUT THE INFORMATION SYSTEMS, SOFTWARE AND FUNCTIONS MADE ACCESSIBLE THROUGH THE SUBSCRIPTION SERVICE OR ANY OTHER SECURITY ASSOCIATED WITH THE TRANSMISSION OF SENSITIVE INFORMATION. WE DO NOT WARRANT THAT THE SUBSCRIPTION SERVICE WILL OPERATE ERROR-FREE, THAT LOSS OF DATA WILL NOT OCCUR, OR THAT THE SUBSCRIPTION SERVICE OR SOFTWARE ARE FREE OF COMPUTER VIRUSES, CONTAMINANTS OR OTHER HARMFUL CODE. YOUR ONLY REMEDY FOR DEFECTIVE PROFESSIONAL SERVICES WILL BE THAT RECODE HEALTH WILL, AT ITS OPTION, REPAIR OR REPLACE ANY DEFECTIVE DELIVERABLES PROVIDED THROUGH OUR PROFESSIONAL SERVICES OR ISSUE A REFUND FOR MONIES PAID FOR THE DEFECTIVE SERVICES.
13. SUBSCRIBER INDEMNIFICATION OBLIGATIONS
Each party will defend, indemnify, and hold us, our affiliates, officers, directors, employees, suppliers, consultants, and agents harmless from any and all third party claims, liability, damages, and costs (including, but not limited to, attorneys’ fees) arising from or related to: (a) its use or provision of the Subscription Service and the deliverables from Recode Health’s Professional Services; (b) its violation of these Terms and Conditions; (c) its infringement of any intellectual property or other right of any person or entity.
14. LIMITATIONS OF LIABILITY
IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ANYONE ELSE FOR ANY DECISION MADE OR ACTION TAKEN BY IN RELIANCE ON THE SUBSCRIPTION SERVICE. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY DISCLAIMS LIABILITY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, RELIANCE, OR CONSEQUENTIAL DAMAGES, (ii) LOSS OF PROFITS, (iii) BUSINESS INTERRUPTION, (iv) REPUTATIONAL HARM, OR (v) LOSS OF INFORMATION OR DATA. THESE EXCLUSIONS APPLY TO ANY CLAIMS FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, ANY OTHER COMMERCIAL DAMAGES OR LOSSES, OR MEDICAL MALPRACTICE OR NEGLIGENCE OF HEALTH CARE PROVIDERS UTILIZED THROUGH USE OF THE SUBSCRIPTION SERVICE, EVEN IF IT KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, UNDER NO CIRCUMSTANCES WILL RECODE HEALTH’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO THE SUBSCRIPTION SERVICE (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EXCEED THE TOTAL AMOUNT PAID BY YOU TO RECODE HEALTH UNDER THESE TERMS AND CONDITIONS DURING THE 3 MONTHS PRECEDING THE DATE OF THE ACTION OR CLAIM. RECODE HEALTH’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO OUR PROFESSIONAL SERVICES WILL BE CAPPED AT THE AMOUNT ACTUALLY PAID BY YOU FOR THE AFFECTED PROFESSIONAL SERVICES.
“Confidential Information” means any confidential, proprietary and trade secret information of Recode Health that is disclosed to or made available to You. Confidential Information does not include any information that: (a) was rightfully known to You prior to receiving it from Recode Health; (b) is independently developed by You without use of or reference to any Confidential Information; (c) is rightfully acquired by You from another source without restriction as to use or disclosure; or (d) is or becomes publicly known through no fault or action of You. During and after the Term of these Terms and Conditions, You will: (i) use the Confidential Information solely for the purpose for which it is provided; (ii) not disclose such Confidential Information to a third party; and (iii) protect such Confidential Information from unauthorized use and disclosure to the same extent that You protect Your own Confidential Information of a similar nature (but no less than reasonable care under the circumstances). If You are required by law to disclose the Confidential Information, You must give prompt written notice of such requirement before such disclosure and assist the Recode Health in obtaining an order protecting the Confidential Information from public disclosure. You acknowledge that, as between You and us, all Confidential Information You receive from Recode Health, including all copies, is proprietary to and exclusively owned by Recode Health.
17. ACCESS LIMITS
18. INTELLECTUAL PROPERTY
Recode Health is the owner of various intellectual property and technology rights associated with the Subscription Service and the Professional Services. Except for the rights expressly granted in the Agreement, Recode Health does not transfer to You or any Authorized User any of Recode Health’s technology or other intellectual property or technology rights. All right, title, and interest in and to Recode Health’s technology and intellectual property will remain solely with the Recode Health. You agree that You will not, directly or indirectly, reverse engineer, decompile, disassemble, or otherwise attempt to derive source code or other trade secrets from the Subscription Service or Recode Health’s technology. Recode Health agrees that data and information provided by You under these Terms and Conditions will remain, as between You and Recode Health, owned by You.
If You choose to provide us with any feedback, suggestions, or similar communications (collectively, “Feedback”), You grant to Recode Health a perpetual, sublicensable, assignable, unrestricted, worldwide, royalty-free, fully paid-up, irrevocable license, under all of Your intellectual property rights, to use, reproduce, display, perform, modify, create derivative or collective works and distribute Your Feedback, and any of our products or services embodying Your Feedback, in any manner we choose, without reference to the source.
20.1 Recode Health will be and act as an independent contractor (and not as the agent or representative of You) in the performance of these Terms and Conditions. These Terms and Conditions will not be interpreted or construed as: (a) creating or evidencing any association, joint venture, partnership, or franchise between the parties; (b) imposing any partnership or franchise obligation or liability on either party; (c) prohibiting or restricting either party’s performance of any services for any third party; or (d) establishing or as a foundation for any rights or remedies for any third party, whether as a third party beneficiary or otherwise. You must not represent to anyone that You is an agent of Recode Health or is otherwise authorized to bind or commit Recode Health in any way without Recode Health’s prior authorization.
20.2 You may not assign its rights, duties, or obligations under these Terms and Conditions without Recode Health’s prior written consent. If consent is given, these Terms and Conditions will bind Your successors and assigns. Any attempt by You to transfer its rights, duties, or obligations under these Terms and Conditions except as expressly provided in these Terms and Conditions is void. Recode Health may freely assign its rights, duties, and obligations under these Terms and Conditions. Recode Health may utilize a subcontractor or other third party to perform its duties under these Terms and Conditions so long as: (a) Recode Health will not be relieved of any responsibilities or obligations under these Terms and Conditions that are performed by the subcontractor or third party; and (b) Recode Health will remain Your sole point of contact and sole contracting party.
20.3 We may provide, or third parties may provide, links to other Web sites or resources that are beyond our control. We make no representations as to the quality, suitability, functionality, or legality of any sites to which links may be provided, and You hereby waive any claim You might have against us with respect to such sites. RECODE HEALTH IS NOT RESPONSIBLE FOR THE CONTENT ON THE INTERNET OR WEB PAGES THAT ARE CONTAINED OUTSIDE THE SITE. Your correspondence or business dealings with, or participation in promotions of, advertisers or partners found on or through the Site, including payment and delivery of related goods or services, and any other terms, conditions, warranties, or representations associated with such dealings, are solely between You and such advertiser or partner. You agree that we are not responsible or liable for any loss or damage of any sort incurred as the result of any such dealings or as the result of the presence of such advertisers or partners on the Site.
20.4 Any notice required or permitted to be given in accordance with these Terms and Conditions will be effective if it is in writing and sent by email, certified or registered mail, or insured courier, return receipt requested. Notices to You will be sent to the address You provided in Your Service Plan, unless You notify us of another address in writing.
20.5 Neither party will be liable for, or be considered to be in breach of or default under these Terms and Conditions on account of, any delay or failure to perform as required by these Terms and Conditions as a result of any cause or condition beyond such party’s reasonable control, so long as such party uses all commercially reasonable efforts to avoid or remove such causes of non-performance or delay.
20.7 The waiver by either party of any breach of any provision of the Agreement does not waive any other breach. The failure of any party to insist on strict performance of any covenant or obligation in accordance with the Agreement will not be a waiver of such party’s right to demand strict compliance in the future, nor will the same be construed as a novation of the Agreement.
20.8 If any part of these Terms and Conditions is found to be illegal, unenforceable, or invalid, the remaining portions of these Terms and Conditions will remain in full force and effect. If any material limitation or restriction on the grant of any license to You under these Terms and Conditions is found to be illegal, unenforceable, or invalid, the license will immediately terminate.
20.9 Except as set forth in Section 2 of these Terms and Conditions, these Terms and Conditions may not be amended except in writing signed by both You and us. In the event that we make such a change that has a material adverse impact on Your rights or use of the Service, You may terminate these Terms and Conditions by giving us notice within 20 days of the date we notify You, and You will not be charged any cancellation fee. These Terms and Conditions are the final and complete expression of the agreement between these parties regarding the Subscription Service. These Terms and Conditions supersede, and the terms of these Terms and Conditions govern, all previous oral and written communications regarding these matters.
This HIPAA Business Associate Agreement (the “BAA”) is made and entered into by and between your company, on behalf of itself and all of its affiliates (collectively “ “Covered Entity”) and Recode Health, LLC (“Business Associate,” as defined in HIPAA, defined below) effective as of the date of the STRIVE Contract (“Effective Date”). It supplements and is made a part of all agreements, oral or written, including any past engagement for which Business Associate retains PHI (defined in paragraph 1(d) below), any current engagement and any future engagement (collectively the “Agreement”), by and between Covered Entity and Business Associate.
A. Under the above Agreement, Business Associate has access to data which may include both Protected Health Information (“PHI,” defined below) and non-PHI disclosed or made available by or on behalf of Covered Entity to Business Associate.
B. Covered Entity and Business Associate are required to comply with the Health Insurance Portability and Accountability Act (“HIPAA,” defined below) and other laws which protect the privacy and security of patients’ PHI.
C. HIPAA requires the parties to enter into a contract containing specific requirements to protect the security and privacy of patients’ PHI.
In consideration of the foregoing and the mutual promises and exchange of information pursuant to this Agreement, the parties agree to amend the Agreement by incorporating all of the following into the Agreement:
1. General Provisions, Including Definitions. The recitals are incorporated by reference into this BAA. This BAA is intended to apply all services provided to Covered Entity by Business Associate, as of the Effective Date, whether or not such engagement has been reduced to writing, and supersedes any form of business associate agreement, exhibit or provision that the parties may have heretofore entered into. In this BAA, Covered Entity shall have all the rights, duties and obligations of the “Covered Entity” as defined under HIPAA (defined below), and Business Associate shall have all the rights, duties and obligations of the “Business Associate” as defined under HIPAA (defined below). All capitalized terms not defined herein shall have the meaning ascribed to them by HIPAA (defined below), including Business Associate, Covered Entity, Data Aggregation and Designated Record Set.
(a) “Breach” shall mean the unlawful or unauthorized access to, viewing, acquisition, use or disclosure of PHI that compromises the security or privacy of said PHI.
(b) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-005) and the rules, guidance and regulations promulgated thereunder, as amended from time to time, including 45 Code of Federal Regulations, Parts 160 and 164.
(c) “Patient” shall have the same meaning as the term “individual” under HIPAA and shall include a person who qualifies as a personal representative.
(d) “Protected Health Information” (“PHI”) shall have the meaning given to such term under HIPAA and shall include any information, whether oral or recorded in any form or medium, limited to the information created or received by Business Associate from or on behalf of Covered Entity (i) that relates to the past, present or future physical or mental health condition of the patient, the provision of health care to patient, or the past, present or future payment for the provision of health care to patient; and (ii) that identifies the patient or with respect to which there is a reasonable basis to believe the information can be used to identify the patient.
(e) “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or her/his designee.
(f) “Security Incident” shall mean any accidental, malicious or natural act that: (i) Results in a Breach of any PHI or credit card information; or (ii) Materially adversely impacts the functionality of the Covered Entity network; or (iii) Permits unauthorized access to the Covered Entity network; or (iv) Involves the loss or loss of control of a Covered Entity owned or managed information technology resource; or (v) Involves the use of Covered Entity technology resources for illegal purposes or to launch attacks against other individuals or organizations; or (vi) Materially impacts the integrity of Covered Entity’s files or databases maintained on the Covered Entity network including, but not limited to: (1) interface failures; (2) inadequate testing or change control procedures; or (3) other failures which result in the deletion or unauthorized changes to an electronic database. A “Security Incident” shall not include any attempted access of system operations in an information system by a Packer Internet Groper (PING) program.
(g) “State” shall mean the state in which the Covered Entity is located.
(h) “Subpart E” shall mean 45 Code of Federal Regulations, Part 164, Subpart E, which consists of Sections 164.500 et seq., as amended from time to time.
2. Permitted Uses and Disclosures by Business Associate
(a) For Covered Entity. Except as otherwise limited in the Agreement and this BAA, Business Associate (i) shall create, maintain, transmit, access, use or disclose PHI only for the benefit of Covered Entity and to perform functions, activities, or services as specified in the Agreement, and (ii) shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
(b) Minimum Necessary. Business Associate shall use only the minimum amount of PHI necessary to perform the specified functions, activities or services, in accordance with Covered Entity’s minimum necessary policies and procedures. In the event of inadvertent access by Business Associate to more than the minimum necessary amount of Covered Entity’s PHI, Business Associate will: (i) treat all such PHI in accordance with the Agreement and this BAA; (ii) promptly notify Covered Entity, in accordance with paragraph 3(d) below, of such access; (iii) erase, delete, and/or return such PHI as quickly as possible; and (iv) take all necessary actions to prevent further unauthorized access to PHI beyond the minimum necessary amount.
(c) Management of Business Associate. Except as otherwise limited in the Agreement or this BAA, Business Associate may use or disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided that (i) the disclosure is required or permitted by law, or (ii) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that such information shall remain confidential and be used or further disclosed solely as required by law or for the purpose of assisting Business Associate to meet Business Associate’s obligations under the BAA. Business Associate shall require any person to whom PHI is disclosed under this subsection to notify Business Associate of any instance of which it is aware in which the confidentiality or security of the PHI has been breached. Notwithstanding the foregoing, Business Associate may de-identify PHI in accordance with 45 C.F.R. 164.514(a)-(c).
(d) Data Aggregation. Except as otherwise permitted in the Agreement and this BAA, Business Associate may use PHI to provide Data Aggregation services.
(e) Compliance with State Laws. Business Associate may use, disclose and access PHI only as permitted by State law, unless such State law is contrary to HIPAA and is preempted by HIPAA in accordance with 45 Code of Federal Regulations Sections 160.201 et seq.
3. Obligations of Business Associate
(a) Use. Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement, this BAA or as required by law.
(b) Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Agreement and this BAA. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, security, integrity and availability of PHI that it receives, maintains, transmits or creates on behalf of Covered Entity and that comply with the requirements of HIPAA. In addition, if Business Associate conducts credit card transactions (i) such safeguards shall consist of or include the recommendations of the Payment Card Industry Data Security Standards, found at https://www.pcisecuritystandards.org and (ii) Business Associate shall not store security code (i.e. CVC) information or credit card magnetic strip information in any form.
(c) Mitigation. Business Associate shall promptly mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the Agreement and this BAA.
(d) Notify Covered Entity. Business Associate shall promptly notify Covered Entity of any Security Incident or Breach in writing in the most expedient time possible, and not to exceed five business days in the event of a Breach, following Business Associate’s initial awareness of such Security Incident or Breach. Notwithstanding any notice provisions in the Agreement, such notice shall be made to the Covered Entity Chief Privacy Official or his/her designee by means of fax or by email. Business Associate shall cooperate in good faith with Covered Entity in the investigation of any Breach or Security Incident. Notwithstanding anything to the contrary in this BAA, the parties agree that this Section 3(d) satisfies notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below), for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” include pings, broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service or any combination of the above, so long as no such incident results in a Breach.
(e) Breach Notification. Following notification to Covered Entity of a Breach, Business Associate shall promptly cooperate with Covered Entity in determining which entity shall provide any required Breach notification. If the parties agree that Business Associate shall provide any required Breach notification, Business Associate shall provide such notification timely and provide Covered Entity with documentation of Business Associate’s actions, including documentation of the names and addresses of those to whom the notifications were provided.
(f) Access. If Business Associate holds PHI in Designated Record Sets as determined by Covered Entity, Business Associate shall provide prompt access to the PHI to Covered Entity whenever so requested by Covered Entity, or, if directed by Covered Entity, to a Patient in order to meet the requirements of HIPAA and State Law, as applicable. If requested, such access shall be in electronic format. If Patient requests directly from Business Associate (i) to inspect or copy his or her PHI, or (ii) requests its disclosure to a third party, the Business Associate shall promptly notify Covered Entity’s facility privacy official of such request.
(g) Amendments. Business Associate shall promptly make amendment(s) to PHI requested by Covered Entity and shall do so in the time and manner requested by Covered Entity to enable it to comply with HIPAA and State Law, as applicable. If Patient requests an amendment to his or her PHI, directly from Business Associate, the Business Associate shall promptly notify Covered Entity’s facility privacy official of such request and await such official’s denial or approval of the request.
(h) Internal Records. Business Associate shall promptly make its internal practices, books, records, including its policies and procedures, relating to the use, disclosure, or security of PHI that the Business Associate received from, maintained or created for or on behalf of Covered Entity, available to the Secretary to enable the Secretary to determine compliance with HIPAA.
(i) Accountings. Business Associate shall document all disclosures of PHI and information related to such disclosures as required under HIPAA in order that it may provide an accounting of such disclosures as Covered Entity directs. Business Associate shall: (i) Provide an accounting as required under HIPAA to those Patients who direct their requests to Business Associate; or (ii) Provide the accounting information required under HIPAA to Covered Entity, if so requested by Covered Entity, in the time and manner specified by Covered Entity.
(j) Preservation. Business Associate shall cooperate with Covered Entity and its medical staff to preserve and protect the confidentiality of PHI accessed or used pursuant to the Agreement and shall not disclose or testify about such information during or after the termination of the Agreement, except as required by law.
(k) Destruction. If, during the term of the Agreement, Business Associate wishes to destroy the PHI, it shall notify Covered Entity in writing about its intent to destroy data at least ten (10) days before such date of destruction, and shall comply with the requirements for destruction of PHI found in Section 5(a) of this BAA. If Covered Entity requests the return of any PHI, Business Associate shall comply as requested.
(l) HIPAA Compliance. Business Associate shall comply with 45 Code of Federal Regulations Part 164, Subpart C with respect to electronic PHI. The written policies and procedures and documentation required to be maintained by Business Associate under the Agreement, this BAA and HIPAA shall be made available to Covered Entity, upon Covered Entity’s request.
(m) Subcontractors. Business Associate shall ensure that any agent including a subcontractor that creates, receives, maintains, or transmits PHI on behalf of Covered Entity or Business Associate agrees in a written contract with Business Associate to the same restrictions and conditions that apply to Business Associate with respect to such information. In performing services under this BAA, neither Business Associate nor its agents, employees or subcontractors shall transmit, maintain or disclose PHI outside of the United States of America and its territories
4. Effect of Breach of Obligations. If Business Associate breaches any of its obligations, Covered Entity shall have the option to do the following:
(a) Cure. Provide Business Associate an opportunity to cure the breach, to the extent curable, and end the violation within thirty (30) days written notice by Covered Entity. If Business Associate does not cure the breach or end the violation as and within the time specified by Covered Entity, or if the breach is not curable, Covered Entity may terminate this BAA; or
(b) Termination. Immediately terminate the BAA, if Covered Entity reasonably determines that Business Associate (1) has acted with gross negligence in performing its obligations; (2) is in willful violation of applicable law; (3) willfully has violated or is violating the privacy and security provisions of this BAA or HIPAA; or (4) is unable to provide, if requested, written assurances to Covered Entity of its ability to protect the confidentiality and security of the PHI. Such termination of the Agreement shall be without prejudice to other legal remedies available to Covered Entity.
5. Effect of Termination
(a) Disposition of PHI. Upon termination of this BAA and subject to Section 5(b) below, Business Associate shall promptly return to Covered Entity a copy of all PHI, including derivatives thereof (which for clarity does not include de-identified information), and shall take all reasonable steps to promptly destroy all other PHI held by Business Associate by: (i) shredding; (ii) securely erasing, or (iii) otherwise modifying the information in those records to make it unreadable or undecipherable through any means. This provision shall apply to PHI in the possession of subcontractors or agents of Business Associate. At Covered Entity’s request, Business Associate shall certify in writing that it has complied with the requirements of this Section.
(b) Infeasible; Survival. If the return or destruction of PHI is infeasible, Business Associate shall promptly notify Covered Entity of the conditions that make such return or destruction infeasible. Upon mutual determination by the parties that return or destruction of PHI is infeasible, the obligations of the Business Associate under this Amendment shall survive the termination of this BAA. Business Associate shall limit the further use or disclosure of all PHI to the purposes that make its return or destruction infeasible. If Business Associate subsequently wishes to destroy PHI, Business Associate shall notify Covered Entity in writing about its intent to destroy data at least ten (10) days before such date of destruction, and shall comply with Section 5(a) above. If Covered Entity requests the return of any PHI, Business Associate shall comply as requested.