Terms and Conditions
Agreement means the Project Proposal, the Order Form and any other documents attached thereto, and these Terms and Conditions.
Business Day means any day of the year that is not a Saturday, Sunday or a day on which banks are required or authorized to close in New York, New York.
Client means the Person whose name and other particulars are set out in the Project Proposal and Order Form.
Client Content means all materials, writing, photographs (including any patient photographs), or other creative content provided by Client used in preparing or creating the Deliverables.
Company means Docero LLC, a New York limited liability company.
Completion Date means the date that Company shares/delivers the beta/preview link of the Project with Client.
Deliverables means the services and work product specified in the Project Proposal to be delivered by Company to Client.
Designer Tools means all design tools developed and/or used by Company in performing the Services, including, without limitation, pre-existing and newly developed software including source code, Web authoring tools, type fonts, and application tools, together with any other software, or other inventions whether or not patentable, and general non-copyrightable concepts such as website design, architecture, layout, navigational and functional elements.
Final Deliverables means the final versions of Deliverables provided by Company and accepted by Client.
Monthly Services means monthly services that Company agrees to provide to Client on a monthly or longer term basis, including, without limitation, website hosting services.
Party means either Company or Client; Parties means together, Company and Client.
Person means an individual, sole proprietorship, partnership, limited partnership, limited liability partnership, corporation, limited liability company, business trust, joint stock company, firm, trust, incorporated association, joint venture, medical practice, or other entity, organization, including a government or political subdivision, department, or agency of a government, or combination thereof.
Project means the scope and purpose of Client’s identified work product as described in the Project Proposal.
Service Period means the period of any outstanding Services, which term for Services shall be set forth in the Order Form.
Services means all services and the work product to be provided to Client by Company as described and otherwise further defined in the Project Proposal.
Terms and Conditions means these Terms and Conditions.
Third Party Materials means proprietary third party materials which are incorporated into the Final Deliverables, including without limitation stock photography and illustrations.
2. Professional Services; Rights to Content
(a) Professional Services: Company shall perform the services listed in the Project Proposal in a commercially reasonable manner.
(b) Ownership of Final Deliverables: Subject to the terms and conditions of the Agreement, Client shall be the owner of the Final Deliverables other than (i) the Designer Tools, (ii) any intellectual property licensed by Company, and (iii) any other intellectual property that Company is not permitted by contract or law to transfer or assign to Client, including, but not limited to, licenses with respect to Third Party Materials.
(c) Client Content; License in favor of Company: Client Content is the exclusive property of Client. Client grants Company a non-exclusive, non-transferable license to use, reproduce, modify, display and publish the Client Content solely in connection with Company’s performance of the Services and limited promotional uses of the Deliverables as authorized in the Agreement.
(d) Designer Tools; License in favor of Client: All Designer Tools are and shall remain the exclusive property of Company. Company grants Client a non-exclusive, non-transferable, perpetual, worldwide license to use the Designer Tools solely to the extent incorporated in the Final Deliverables for the Project.
(e) Alternations to Final Deliverables: Client may alter or modify the Final Deliverables; provided that, Client does not breach any of the terms and conditions of the Agreement.
(a) Fees: Client agrees to pay Company the Fees listed in the Project Proposal, including all applicable taxes.
(b) Additional Costs: Pricing in the Project Proposal includes only Company fees. Any other costs and expenses, including, without limitation, third party fees, incurred outside the scope of work defined in the Project Proposal will be billed to Client.
(c) Hosting Final Deliverables: Company will host the Final Deliverables on Company servers while the Project is under construction. If Client does not give approval to launch Client website containing Final Deliverables within thirty (30) days of the Completion Date, Client agrees to pay Company one hundred dollars ($100) per month for hosting until the Final Deliverables are approved to be published live to the Internet.
(a) Project Invoices: Other than as expressly set forth in the Project Proposal, Order Form, or agreed to in writing between Company and Client, all Project invoices are due on receipt. Invoices shall list any expenses and additional costs as separate items.
(b) Monthly Services Invoices: Other than as expressly set forth in the Project Proposal, Order Form, or agreed to in writing between Company and Client, Company shall charge Client’s credit card on file on the first day of each calendar month for the then current calendar month’s Monthly Services.
5. Late Payment
(a) Late Fee: A monthly service fee of one and one-half percent (1.5%), or the maximum allowed by law, is payable on all overdue balances.
(b) Crediting Late Payments: Payments will be credited to late payments first, then to unpaid balances.
(c) Collection Expenses: Client shall pay all collection or legal fees caused by late payments.
(d) Withholding Delivery: Company reserves the right to withhold Deliverables, suspend Services, and not transfer ownership of the Final Deliverables (other than (i) the Designer Tools, (ii) any intellectual property licensed by Company, and (iii) any other intellectual property that Company is not permitted by contract or law to transfer or assign to Client for which ownership shall not be transferred in any instance), if Client’s accounts are not current or overdue invoices are not paid in full.
(e) Withholding License: Company may also withhold the granting of any licenses or the transfer of ownership of any intellectual property rights (other than (i) the Designer Tools,
(ii) any intellectual property licensed by Company, and (iii) any other intellectual property that Company is not permitted by contract or law to transfer or assign to Client for which ownership shall not be transferred in any instance) to Client with respect to Deliverables, Final Deliverables, or Services, if Client’s accounts are not current or overdue invoices are not paid in full.
6. Changes to Project Scope; Enhancements
(a) Change Request: If Client wants to change the scope of work after acceptance of the Agreement, Client shall send Company a written change request describing the requested changes in detail (the “Change Request”). Within five (5) Business Days of receiving a Change Request, Company will respond with a statement proposing additional fees, changes to delivery dates, and any modification to the Terms and Conditions. Company will evaluate each Change Request at its standard rate and charges.
(b) Major Change: If the aggregate Fees resulting from the Change Request exceed the total fees for the Project set forth in the original Project Proposal by fifteen percent (15%) or more, Company shall be entitled to submit a new and separate Project Proposal to Client for written approval; provided that, the execution of a new and separate Project Proposal does not release Client from any of its obligations under the original Project Proposal or Order Form; provided further that, any charges in connection with the Change Request or the new and separate Project Proposal shall be in addition to all other amounts due and payable by Client under the original Project Proposal or Order Form despite any maximum budget, contract price or final price identified therein. Company shall not begin work on the revised Project Deliverables until a fully executed revised Project Proposal, including any additional fees are received.
(c) Minor Change: If Client requests are not Major Changes, Client will be billed on a time and materials basis at a Company hourly rate of two hundred dollars ($200) per hour. Such charges shall be in addition to all other amounts payable under the Agreement, despite any maximum budget, contract price or final price identified. Company may extend or modify any delivery schedule or deadlines in the Agreement as may be required by such changes.
(d) Acceptance/Rejection: Client will have five (5) days to respond in writing accepting or rejecting the new Project Proposal. If Client rejects the Project Proposal, Company will not be obligated to perform any services beyond those set forth in the Agreement, as originally executed.
(e) Enhancements: During the Service Period, Client may request that Company develop enhancements to the Deliverables. Company shall exercise commercially reasonable efforts to prioritize Company resources to create such enhancements. Client understands Company may have preexisting obligations that may delay requested enhancements. Any requested Client enhancements shall require a Change Request as described in Section 6(a) above and the pricing with respect to such Change Request shall be governed by the provisions of this Section 6.
(a) Client Delays: Client agrees that it shall provide any needed information, materials and approvals set forth in the Agreement. Company shall not be responsible for any delays in the completion of Deliverables as a result of Client’s delay in providing such information, materials and approvals.
(b) Force Majeure: Each Party shall be excused from liability for the failure or delay in performance of any obligation under the Agreement by reason of any event beyond such Party’s reasonable control, including but not limited to, Acts of God, fire, flood, explosion, earthquake, or other natural forces, war, civil unrest, any strike or labor disturbance. Such excuse from liability shall be effective only to the extent and duration of the event(s) causing the failure or delay in performance and provided that the Party has not caused such event(s) to occur. Notice of a Party’s failure or delay in performance due to force majeure must be given to the other Party within five (5) Business Days after its occurrence. Any delivery dates under the Agreement that have been affected by force majeure shall be tolled for the duration of such force majeure. In no event shall either Party be required to prevent or settle any labor disturbance or dispute. In the event of a force majeure that persists for thirty (30) days or more, then either Party may terminate the Agreement upon written notice to the other Party.
8. Evaluation and Acceptance
Client shall, within ten (10) Business Days after receiving each Deliverable, notify Company in writing of any failure to comply with the specifications set forth in the Project Proposal or of any other objections, corrections or changes required. Company shall, within five (5) Business Days of receiving Clients notification, correct and submit a revised Deliverable to Client. Client shall, within five (5) Business Days of receiving a revised Deliverable, either approve the corrected version or make further changes. All objections, corrections and changes shall be subject to the terms and conditions of the Agreement.
9. Client Responsibilities
(a) Client Content; Deliverables:
(i) Client acknowledges that it is responsible for performing the following in a reasonable and timely manner: (A) unless otherwise specified in the Project Proposal, provide Client Content in a form suitable for use in the Deliverables without further preparation by Company, and (B) proofread all Deliverables (Client will be charged for correcting errors after the acceptance of any Deliverable).
(ii) Client is responsible for obtaining any and all necessary waivers or written consents to rightfully use Client Content in Deliverables.
(b) Maintenance of Records; Patient Health Information (PHI):
(i) Client is responsible for storing and maintaining all necessary waivers or written consents obtained pursuant to Section 9(a)(ii) above.
(ii) Client is responsible for the removal or “de-identification” of any Patient Health Information (PHI) contained within Client Content (including but not limited to file names or descriptions) before sharing with Company. In no event shall Company be responsible for the removal or “de-identification” of any Patient Health Information (PHI) contained within Client Content (including but not limited to file names or descriptions) before sharing with Company.
10. Accreditation and Promotion
(a) Accreditation: Company shall be entitled to place accreditation, as a hyperlink or otherwise, on each page of the Final Deliverables.
(b) Promotion: Company retains the right to reproduce, publish and display the Deliverables in Company portfolios and websites, galleries, design periodicals and other media or exhibits for the purposes of recognition of creative excellence or professional advancement, and to be credited with authorship of the Deliverables in connection with such uses.
(c) Promotional Approval: Either Party, subject to the other’s reasonable approval, may describe its role in the Project on its website and in other promotional and marketing materials, and, if not expressly objected to, include a link to the other Party’s website.
11. Confidential Information
Client’s “Confidential Information” includes information that Company should reasonably believe to be confidential to Client (“Client Confidential Information”).
Company “Confidential Information” includes information that Client should reasonably believe to be confidential to Company, including, without limitation, the source code of any Designer Tools (“Company Confidential Information” and together with Client Confidential Information, “Confidential Information”).
Each Party agrees that, except as set forth in the Agreement, Confidential Information is confidential and proprietary to each Party, as applicable, and each Party shall (a) hold the Confidential Information in confidence, (b) not use the Confidential Information other than to perform the services set forth in the Agreement, and (c) disclose it only to its directors, managers, officers, employees, consultants, advisors, agents, attorneys, and others who have a specific need to know such Confidential Information (each a “Representative”); provided, that, each Party informs each Representative, as applicable, of the confidential nature of the information disclosed, and each Representative agrees to be bound by the provisions of this Section.
Notwithstanding the foregoing, Confidential Information does not include information which (i) is already in a Party’s possession or control prior to the date of disclosure, (ii) was or becomes generally available to the public other than as a result of a disclosure by a Party or any of its Representatives, (iii) becomes available to a Party on a non-confidential basis from a source other than the other Party or any of its Representatives, or (iv) is developed by a Party from a non-confidential source, without use of the Confidential Information of the other Party or other breach of the Agreement.
12. Relationship of the Parties
(a) Independent Contractor: Company is an independent contractor. Company shall determine, in its sole discretion, the manner and means by which the Services are accomplished. No agency, partnership, joint venture, or employee-employer relationship is intended or created by the Agreement. Neither Party is authorized to act as agent or bind the other Party except as expressly stated in the Agreement. All rights granted to Client are contractual in nature and are expressly defined by the Agreement.
(b) Design Agents: Company shall be allowed to use third parties as independent contractors in connection with the Services. Company shall remain fully responsible for Design Agents’ compliance with the Agreement.
(c) No Exclusivity: The Agreement does not create an exclusive relationship between the Parties. Client is free to engage others to perform services of the same or similar nature to those provided by Company, and Company shall be entitled to offer and provide design or other services to others, solicit other clients and otherwise advertise the services offered by Company.
13. Representations and Warranties
(a) By Client: Client represents and warrants to Company that: (i) the execution and delivery of the Agreement, the performance by it of its obligations thereunder, and the consummation by it of the transactions contemplated thereby have been duly authorized by all requisite action, (ii) the Agreement has been duly executed and delivered by it and constitutes a legal, valid and binding obligation of it enforceable against it in accordance with its terms except as limited by applicable bankruptcy and insolvency laws and general equitable principles, (iii) to the best of Client’s knowledge, use of the Client Content does not infringe the rights of any third party, (iv) Client shall comply with the terms and conditions of any licensing agreements which govern the use of Third Party Materials, and (v) Client will obtain all necessary and appropriate rights and licenses to grant license to Company to use Third Party Materials.
(b) By Company: Company represents and warrants to Client that: (i) Company will provide the Services identified in the Agreement in a professional and workmanlike manner, and (ii) Company shall secure all necessary rights, title, and interest in and to the Final Deliverables, including Designer Tools, sufficient for Company to grant the intellectual property rights provided in the Agreement.
(c) Disclaimer: If Client or third parties modify the Deliverables or use the Deliverables outside of the scope or purpose of the Agreement, all representations and warranties of Company shall be NULL AND void AND OF NO FURTHER FORCE AND EFFECT. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THE AGREEMENT, COMPANY MAKES NO WARRANTIES WHATSOEVER. COMPANY EXPRESSLY DISCLAIMS ANY OTHER WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR COMPLIANCE WITH LAWS OR GOVERNMENT RULES OR REGULATIONS APPLICABLE TO THE PROJECT.
14. Indemnification and Liability
(a) By Client: Client agrees to indemnify, defend and hold harmless Company and its affiliates, members, stockholders, partners, directors, managers, officers, employees, agents and representatives from and against any and all losses or liabilities, including reasonable attorney fees and costs, arising out of or relating to claims, demands, actions, or causes of action (collectively, “Claims”) that are caused, or alleged to be caused, by, or otherwise arise, or are alleged to arise, from (i) the breach by Client of any provisions of the Agreement, (ii) Client’s performance, failure to perform, or failure to perform properly any of its duties or obligations under the Agreement, or (iii) Client’s infringement or misappropriation of Third Party Materials or any breach of any licensing agreement with respect to Third Party Materials.
(b) By Company: Company agrees to indemnify, defend and hold harmless Client from and against any and all Claims that are caused, or alleged to be caused, by, or otherwise arise, or are alleged to arise, from (i) the breach by Company of any material provisions of the Agreement, or (ii) Company’s performance, failure to materially perform, or failure to materially perform properly any of its duties or obligations under the Agreement. In the case of a third party lawsuit or proceeding based on a Claim that Deliverables breach the third party’s intellectual property rights, and it is determined that such infringement has occurred, Company may at its own expense, replace any infringing content with non-infringing content and such replacement shall be the sole and exclusive remedy of Client under the Agreement with respect to such infringement.
(c) Claims: Neither Party will be liable for any claim for indemnification under the Agreement unless written notice of a Claim for indemnification is promptly delivered by the Party seeking indemnification (the “Indemnified Party”) to the Party from whom indemnification is sought (the “Indemnifying Party”) within ten (10) days after receiving notification of any Claim by a third party which may give rise to a Claim for indemnification (a “Third Party Claim”); provided that, no delay on the part of the Indemnified Party in notifying the Indemnifying Party will relieve the Indemnifying Party from any obligation hereunder except to the extent that the Indemnifying Party is actually materially prejudiced thereby. All notices given pursuant to this Section will describe with reasonable specificity the basis of the Indemnified Party’s claim for indemnification. Upon receipt of notice of a Third Party Claim, the Indemnifying Party will be entitled to reasonably participate in the defense thereof with counsel of its choice at its own cost. Notwithstanding the foregoing, the Indemnified Party will have the right to control and undertake the defense of such Third Party Claim, by counsel or other representatives of its own choosing; provided that, the Indemnified Party shall be prohibited from compromising or settling the claim without the prior written consent of the Indemnifying Party, which consent shall not be unreasonably withheld or delayed. Whether or not the Indemnifying Party chooses to participate in the defense or prosecution any such claim, suit, action or proceeding, the Parties shall reasonably cooperate in the defense or prosecution thereof.
(d) Limitations on Liability: Company’s maximum liability to Client with respect to all Claims for indemnification hereunder shall not exceed the Fees paid by Client to Company. EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS HEREUNDER, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOST DATA, LOST PROFITS, LOST REVENUE, LOST BUSINESS, ANTICIPATED PROFITS OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY, INCLUDING BUT NOT LIMITED TO CONTRACT OR TORT (INCLUDING PRODUCTS LIABILITY, STRICT LIABILITY AND NEGLIGENCE), AND WHETHER OR NOT SUCH PARTY WAS OR SHOULD HAVE BEEN AWARE OR ADVISED OF THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY STATED HEREIN.
15. Term and Termination
(a) Term: Unless expressly stated otherwise in an executed Order Form and subject to Section 15(d) hereof, the term of the Agreement (the “Term”) shall commence on the date that the Order Form is executed and shall continue until the earlier of (i) the termination of the Agreement by the Company in accordance with Section 15(b) below, or (ii) the termination of the Agreement by either Party in accordance with Section 3(c) below. For the avoidance of doubt, the Agreement may not be terminated by either Party other than as provided in this Section 15(a).
(b) Termination by the Company: Company may terminate the Agreement as follows: (i) following the expiration of the Service Period, the Company may terminate the Agreement by providing Client with written notice, or (ii) in all other cases, including, without limitation, with respect to Monthly Services, upon fifteen (15) days prior written notice to Client.
(c) Termination by either Party: A Party may terminate the Agreement upon written notice to the other Party if:
(i) The other Party breaches any provision of the Agreement and such breach has not been cured within thirty (30) Business Days after the breaching Party receives notice describing such breach; provided that, if the event or events that caused the breach are cured within the thirty (30) Business Day notice period, the Agreement shall continue in full force and effect as if no breach had occurred; or
(ii) The other Party files, or consents to the filing against it of, a petition for relief under any bankruptcy or insolvency laws, makes an assignment for the benefit of creditors or consents to the appointment of a receiver, liquidator, assignee, custodian, trustee, sequestrator or other official with similar powers over a substantial part of its property; or a court having jurisdiction over such Party or any of the property of such Party shall enter a decree or order for relief in respect thereof in an involuntary case under any bankruptcy or insolvency law, or shall appoint a receiver, liquidator, assignee, custodian, trustee, sequestrator or official with similar powers over a substantial part of the property of such Party, or shall order the winding-up or liquidation of such Party, and such order or decree shall continue in effect for a period of 30 consecutive days.
(d) Auto Renewal of Monthly Services: Unless (i) Company has terminated the Agreement pursuant to Section 15(b) hereof, or (ii) Client has provided written notice to Company of its desire to terminate its Monthly Services at least thirty (30) Business Days prior to the expiration of the then applicable Monthly Services term, Client’s Monthly Services shall automatically renew for the same Monthly Services term at the then applicable Company service rates and the Agreement shall continue in full force and effect.
(e) Survival: The provisions of Sections 1, 2(b)-(e), 3, 4, 5, 9, 12, 13, 14, 15, 16, and 17 shall survive the termination or expiration of the Agreement. The provisions of Section 11 shall survive the termination or expiration of the Agreement for a period of one year.
16. Dispute Resolution
(a) Negotiation: The Parties agree to attempt to resolve any dispute by negotiation between the Parties.
(b) Arbitration/Mediation: If the Parties are unable to resolve the dispute by negotiation, either Party may start mediation and/or binding arbitration in a forum mutually agreed to by the Parties.
(c) Litigation: In all other circumstances, the Parties specifically consent to the local, state and federal courts located in New York County, New York for any and all matters arising out of the Agreement or relationship between the Parties. The Parties waive any jurisdictional or venue defenses available to them and further consent to service of process by mail.
(a) Modification/Waiver: These Terms and Conditions were published on May 1, 2019, and replace with immediate effect the Terms and Conditions previously published on August 21, 2018. Company reserves the right at any time to modify the Agreement and to add new or additional terms or conditions. Such modifications and additional terms and conditions will be effective immediately and incorporated into the Agreement. Failure by either Party to enforce any right or seek to remedy any breach under the Agreement shall not be construed as a waiver of such rights nor shall a waiver by either Party of default in one or more instances be construed as constituting a continuing waiver or as a waiver of any other breach.
(b) Notices: All notices under the Agreement shall be given in writing either by: (i) fax or email, with return confirmation of receipt, and (ii) certified or registered mail, with return receipt requested. Notice will be effective when received, or in the case of email or fax, on confirmation of receipt.
(c) No Assignment: Rights or obligations under the Agreement shall not be transferred, assigned or encumbered without the prior written consent of the other Party; provided that, Company may assign the Agreement and its rights and obligations hereunder and thereunder without the consent of Client to an affiliate of Company or to any Person that purchases the equity interests of Company or all or substantially all of the assets of Company.
(d) Governing Law: The Agreement shall be governed by the law of New York.
(e) Severability: If any provision of the Agreement is held invalid or unenforceable, the remainder of the Agreement shall remain in full force and effect. Where possible the invalid or unenforceable provision shall be interpreted in such manner as to be effective and valid under applicable law.
(f) Headings: Headings and numbering used in the Agreement are for convenience and reference only and shall not affect the scope, meaning, intent or interpretation of the Agreement, and shall not have any legal effect.
(g) Complete Agreement: The Agreement is the entire understanding of the Parties and supersedes all prior understandings and documents relating to the subject matter of the Agreement.
Business Associate Agreement
This Business Associate Agreement (this “BAA”) is entered into on the “Effective Date” by and between Client (“Covered Entity”) and
Company (“Business Associate} (each a “Party” and collectively, the “Parties”).
- Covered Entity is a “Covered Entity” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);
- Business Associate performs Services for or on behalf of Covered Entity, and in performing said Services; Business Associate creates, receives, maintains, or transmits Protected Health Information (“PHI”);
- The Parties intend to protect the privacy and provide for the security of PHI Disclosed by Covered Entity to Business Associate, or received or created by Business Associate, when providing Services in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (“the HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time; and
- As a Covered Entity, Covered Entity is required under HIPAA to enter into a BAA with Business Associate that meets certain requirements with respect to the Use and Disclosure of PHI, which are met by this BAA.
In consideration of the Recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
Article I: Definitions
The following terms shall have the meaning set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.
- “Breach” shall have the meaning given under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
- “Designated Record Set” shall have the meaning given such term under 45 C.F.R. § 164.501.
- “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.
- “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
- “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.
- “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.
- “Services” shall mean the services for or functions on behalf of Covered Entity performed by Business Associate pursuant to any service agreement(s) between Covered Entity and Business Associates which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103.
- “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary.
- “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate’s internal operations, as set forth in 45 C.F.R. § 160.103.
- “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.
Article II: Obligations of Business Associate
- Permitted Uses and Disclosures of Protected Health Information: Business Associate shall not Use or Disclose PHI other than for the purposes listed on the signature page hereto for performing the Services, as permitted or required by this BAA, or as Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so Used or Disclosed by Covered Entity. However, Business Associate may Use or Disclose PHI (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (iii) for Data Aggregation purposes for the Health Care Operations of Covered Entity. To the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
- Prohibited Marketing and Sale of PHI: Notwithstanding any other provision in this BAA, Business Associate shall comply with the following requirements: (i) Business Associate shall not Use or Disclose PHI for fundraising or marketing purposes, except to the extent expressly authorized or permitted by this BAA and consistent with the requirements of 42 U.S.C. § 17936, 45 C.F.R. §§ 164.514(f), and 164.508(a)(3)(ii), and (iii) Business Associate shall not directly or indirectly receive remuneration in exchange for PHI except with the prior written consent of Covered Entity and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2), and 45 C.F.R. § 164.502(a)(5)(ii).
- Adequate Safeguards of PHI: Business Associate shall implement and maintain appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. Business Associate shall reasonably and appropriately protect the confidentiality, integrity, and availability of e-PHI that it creates, receives, maintains or transmits on behalf of Covered Entity in compliance with Subpart C of 45 C.F.R. Part 164 to prevent Use or Disclosure of PHI other than as provided for by this BAA.
- Mitigation: Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA.
- Reporting Non-Permitted Use or Disclosure:
- Reporting Security Incidents and Non-Permitted Use or Disclosure: Business Associate shall report to Covered Entity in writing each Security Incident or Use or Disclosure that is made by Business Associate, members of its Workforce or Subcontractors that is not specifically permitted by this BAA no later than three (3) business days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident or non-permitted Use or Disclosure of Covered Entity’s PHI that it discovers to determine whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI. Business Associate shall document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 2.5.1. Upon request of Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.5.2 below.
- Breach of Unsecured PHI: If Business Associate determines that a reportable Breach of Unsecured PHI has occurred, Business Associate shall provide a written report to Covered Entity without unreasonable delay but no later than thirty (30) calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity shall be in accordance with 45 C.F.R. §164.410(c). Business Associate shall cooperate with Covered Entity in meeting Covered Entity’s obligations under the HITECH Act with respect to such Breach. Covered Entity shall have sole control over the timing and method of providing notification of such Breach to the affected individual(s), the Secretary and, if applicable, the media, as required by the HITECH Act. Business Associate shall reimburse Covered Entity for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach.
- Availability of Internal Practices, Books, and Records to Government: Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act. Except to the extent prohibited by law, Business Associate shall notify Covered Entity of all requests served upon Business Associate for information or documentation by or on behalf of the Secretary. Business Associate agrees to provide to Covered Entity proof of its compliance with the HIPAA Security Standards.
- Access to and Amendment of Protected Health Information: To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity and within fifteen (15) days of a request by Covered Entity, Business Associate shall (a) make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Covered Entity for inspection and copying, or to an individual to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524, or (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. § 164.526. Business Associate shall not Disclose PHI to a health plan for payment or Health Care Operations purposes if and to the extent that Covered Entity has informed Business Associate that the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, consistent with 42 U.S.C. § 17935(a) and 42 C.F.R. § 164.522(a)(1)(vi). If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate shall provide such information in the electronic form and format requested by the Covered Entity if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Covered Entity to enable Covered Entity to fulfill its obligations under 42 U.S.C. § 17935(e) and 45 C.F.R. § 164.524(c)(2). Business Associate shall notify Covered Entity within fifteen (15) days of receipt of a request for access to PHI.
- Accounting: To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, within thirty (30) days of receipt of a request from Covered Entity or an individual for an accounting of disclosures of PHI, Business Associate and its Subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528 and its obligations under 42 U.S.C. § 17935(c). Business Associate shall notify Covered Entity within fifteen (15) days of receipt of a request by an individual or other requesting party for an accounting of disclosures of PHI.
- Use of Subcontractors: Business Associate shall require each of its Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business Associate, to execute a Business Associate Agreement that imposes on such Subcontractors the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to PHI.
- Minimum Necessary: Business Associate (and its Subcontractors) shall, to the extent practicable, limits its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.
- Compliance with New York General Business Law 899-aa: Business Associate shall report to Covered Entity without unreasonable delay, and in no case later than three (3) business days after discovery of any unauthorized use or disclosure of an Individual’s private information as such term is defined by New York State General Business Law 899-aa, and includes the Individual’s i) Social Security Number; ii) driver’s license number or non-driver identification card number; or iii) account number, credit or debit card number, in combination with any required security, access code, or password that would permit access to the Individual’s financial account.
Article III: Term and Termination
- Term: The term of this BAA shall be effective as of the Effective Date and shall terminate as of the date that all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information, in accordance with Section 3.3, or on the date that Covered Entity terminates for cause as authorized in Section 3.2, whichever is sooner.
- Termination for Cause: Upon Covered Entity’s knowledge of a material breach or violation of this BAA by Business Associate, Covered Entity shall either:
- Notify Business Associate of the breach in writing, and provide an opportunity for Business Associate to cure the breach or end the violation within ten (10) business days of such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period to the satisfaction of Covered Entity, Covered Entity may immediately terminate this BAA upon written notice to Business Associate; or
- Upon written notice to Business Associate, immediately terminate this BAA if Covered Entity determines that such breach cannot be cured.
- Disposition of Protected Health Information Upon Termination or Expiration:
- Upon termination or expiration of this BAA, Business Associate shall either return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such PHI. If Covered Entity requests that Business Associate return PHI, PHI shall be returned in a mutually agreed upon format and timeframe, at no additional charge to Covered Entity
- If return or destruction is not feasible, Business Associate shall (a) retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; (b) return to Covered Entity the remaining PHI that Business Associate still maintains in any form; (c) continue to extend the protections of this BAA to the PHI for as long as Business Associate retains the PHI; (d) limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible and subject to the same conditions set out in Section2.1 and 2.2 above, which applied prior to termination; and (e) return to Covered Entity the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
Article IV: Miscellaneous
- Amendment to Comply with Law: This BAA shall be deemed amended to incorporate any mandatory obligations of Covered Entity or Business Associate under the HITECH Act and its implementing HIPAA Regulations. Additionally, the Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for Covered Entity to implement its obligations pursuant to HIPAA, the HIPAA Regulations, or the HITECH Act.
- Indemnification: Business Associate hereby agrees to indemnify and hold harmless Covered Entity, its affiliates, and their respective officers, directors, managers, members, shareholders, employees and agents from and against any and all fines, penalties, damage, claims or causes of action and expenses (including, without limitation, court costs and attorney’s fees) arising from any violation of HIPAA the Business Associate incurs, from violations against the HIPAA Regulations, or the HITECH Act or from any negligence or wrongful acts or omissions, including but not limited to failure to perform its obligations, that results in a violation of HIPAA, the HIPAA Regulations, or the HITECH Act, by Business Associate or its employees, directors, officers, subcontractors, agents or members of Business Associate’s Workforce.
- Notices: Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic mail or facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt, in each case, addressed to a Party on the signature page(s) to this BAA or to such other addresses as the Parties may request in writing by notice given pursuant to this Section 4.3. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. mail as required herein.
- Relationship of Parties: Business Associate is an independent contractor and not an agent of Covered Entity under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.
- Survival: The respective rights and obligations of the Parties under Sections 3.3 and 4.2 of this BAA shall survive the termination of this BAA
- No Assignment: Rights or obligations under this BAA shall not be transferred, assigned or encumbered without the prior written consent of the other Party; provided that, Business Associate may assign this BAA and its rights and obligations hereunder without the consent of Covered Entity to an affiliate of Business Associate or to any Person (as defined below) that purchases the equity interests of Business Associate or all or substantially all of the assets of Business Associate. For purposes of this BAA, “Person” means an individual, sole proprietorship, partnership, limited partnership, limited liability partnership, corporation, limited liability company, business trust, joint stock company, firm, trust, incorporated association, joint venture, medical practice, or other entity, organization, including a government or political subdivision, department, or agency of a government, or combination thereof.
- Applicable Law and Venue: This BAA shall be governed by and construed in accordance with the laws of New York (without regards to conflict of laws principles). The Parties agree that all actions or proceedings arising in connection with this BAA shall be tried and litigated exclusively in the State or federal (if permitted by law and if a Party elects to file an action in federal court) courts located in New York.
- Effective Date: The Parties hereto have duly executed this as of the Effective Date.