Last Updated: January 31, 2019
INBOX HEALTH MASTER TERMS
These Inbox Health Master Terms (these “Master Terms”) by and between Inbox Health, Inc. (“Inbox Health”), a Delaware corporation located at 55 Church Street, New Haven, CT 06510, and the entity who executed the applicable agreement (“Agreement”) referencing these Master Terms (“Client”). These Master Terms are effective as of the effective date of the Agreement (“Effective Date”).
In consideration of the representations, covenants and agreements contained in these Master Terms, Client and Inbox Health agrees as follows:
- Services. The applicable services to be performed by Inbox Health shall be as described in the Agreement (“Services”).
- Term. These Master Terms will commence from the Effective Date. These Master Terms and the Agreement can be terminated with thirty (30) days’ written notice at any time by either party.
- Fees. The fees shall be stated in the applicable Agreement; provided, however, if Client uses a credit card for payment, Inbox Health will be entitled to increase the fees to account for credit card processing fees.
- Confidential Information.
- Inbox Health agrees not to disclose to anyone other than Client any information about Client’s fee structure, internal compensation, medical billing strategies, or similar business information that would commonly be understood to be confidential or any confidential medical information regarding Client’s medical billing clients’ patients received in the course of performing the Services (collectively, Client’s “Confidential Information”), except as required to bill patients, as required by law or legal or regulatory process or as otherwise provided herein.
- Client agrees that it will not disclose to third parties the business methods, operating processes or documentation of the software employed by Inbox Health to provide the Services or any information about Inbox Health’s fees, operations, business methods or strategies or any other information specifically designated as confidential by Inbox Health except as required by law or legal or regulatory process (Inbox Health’s “Confidential Information”). Each party’s Confidential Information shall remain the property of that party, during and after the termination or expiration of these Master Terms.
- Each party will at all times take reasonable steps to establish and enforce the foregoing by its employees, independent contractors, consultants and vendors. The requirements of this Section 4 shall expressly survive the expiration or termination of these Master Terms. Each party specifically agrees to comply with and assist their counterpart with compliance with applicable state or federal confidentiality requirements as to individual patient information. Notwithstanding the preceding sentences, Client agrees that Inbox Health may use Client information for research and statistical compilation purposes, so long as Client and patient identifying information is kept confidential in accordance with applicable law and that any product of the foregoing uses shall be the property of Inbox Health.
- Neither party shall be required to treat as confidential any information that the recipient party can demonstrate by competent written proof: (i) was in such party’s possession or known to it prior to receipt from the other party; (ii) was publicly available at the time of receipt or later becomes publicly available through no act or omission of such party; (iii) was or later becomes lawfully available to such party from a source other than the other party and such source was not under any obligation of confidentiality or nondisclosure; or (iv) was or is developed by such party independent of the confidential information of the other party. In the event the receiving party is required by law or regulation, court order, subpoena, or other judicial or government request to disclose the other party’s confidential information, the receiving party shall, if practicable and permitted by law, promptly notify the other party to enable that party to assert whatever exclusions or exemptions that may be available to it under the law. In the event disclosure is required, the receiving party will disclose only that portion of the confidential information required by such law or regulation, court order, subpoena or other judicial or government request to be disclosed and notwithstanding such disclosure, will continue to treat such information as confidential for all other purposes under these Master Terms.
- Force Majeure. Performance of duties hereunder may be impeded by occurrences beyond the control of one or both parties. Events such as flood, earthquake, hurricane, tornado, blizzard and other natural disasters; fire, riot, war or civil disturbance; strikes by common carriers; extended loss (more than 48 hours) of utilities (except for non-payment); and similar events shall excuse the affected party from performance of services impeded by such event(s). Nevertheless, each party has a duty to use reasonable efforts to prevent or mitigate such impediments. In the event that any catastrophe shall prevent the timely billing of Client’s services by Inbox Health for more than fifteen (15) working days, Client shall have the right to secure, without penalty, substitute services until Inbox Health can restore services, at which time Inbox Health’s responsibilities and rights under these Master Terms shall be reinstated. For its protection, Client shall, at its own expense, purchase and maintain business interruption and/or accounts receivable insurance to cover any such catastrophic event, as stated above.
- Price and payment.
- Inbox Health will invoice client monthly. Any fees that are not paid within 30 days of the invoice date are subject to a late payment fee assessed at 1.5% per month or the highest amount allowed by law, whichever is less. Client shall be liable for all reasonable collection costs including attorney fees, court costs and other charges necessary for collection of past due amounts.
- If any amounts owed by Client under these Master Terms are more than thirty (30) days overdue, in addition to any of Inbox Health’s other rights and remedies under these Master Terms, Inbox Health shall have the right to suspend the Services provided to Client, without any liability to Client or any third party, until all past due amounts, interest, late payment fees and collection costs (if any) are paid in full. Inbox Health shall provide Client with fifteen (15) days advance written notice prior to any such suspension. In addition, in the case of suspension of Services, a service restoration fee shall be paid in an amount determined by Inbox Health to be sufficient to compensate it for additional effort required to suspend and then resume Services.
- Warranty Disclaimer
- Inbox Health represents and warrants that all Services will be performed in good and workmanlike manner by skilled and qualified staff and shall substantially conform to all specifications and descriptions set forth in the Agreement. In the event of a breach of the foregoing warranty, as Client’s sole remedy and Inbox Health’s sole obligation, Inbox Health shall re-perform, at no additional charge to Client, the non-conforming Services.
- EXCEPT AS EXPRESSLY SET FORTH IN SECTION 7.1 ABOVE, INBOX HEALTH DISCLAIMS ANY AND All EXPRESS OR IMPLIED WARRANTIES OF ANY KIND RESPECTING THE SERVICES, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- Limitation of Liability.
- Except for (i) Client’s non-payment of fees owing to Inbox Health under these Master Terms or (ii) a breach of Section 9 herein (Use of Proprietary Software), in no event shall either party be liable under these Master Terms to the other party or any third party for any indirect, special, incidental, punitive, or consequential damages of any type or any damages for business interruption, lost profits, lost revenue, business losses, anticipated savings, loss of data, loss of use, costs of procurement of substitute goods or services, whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damages were foreseeable and whether or not such party has been advised of the possibility of such damages, the foregoing limitation shall apply even if the non-breaching party’s remedies under these Master Terms fail of their essential purpose.
- In no event shall Inbox Health’s total aggregate liability arising out of or related to any and all claims under these Master Terms (whether arising out of or related to breach of contract, tort (including negligence) or otherwise) exceed the fees paid by Client to Inbox Health under these Master Terms in the one year prior to the act that gave rise to the liability. The foregoing limitation shall apply even if Client’s remedies under these Master Terms fail of their essential purpose.
- Use of Proprietary Software.
- Inbox Health will provide Client with access to certain Inbox Health’s proprietary, Internet-accessible software (“Inbox Health’s Proprietary Software”) configured for use with the Services identified in these Master Terms. Subject to the terms and conditions of these Master Terms, Inbox Health grants Client the right to access Inbox Health’s Proprietary Software and any modules to which Client is entitled through the Master Terms. Any such access shall be through the Internet. Client may only use Inbox Health’s Proprietary Software for Client’s own internal use, solely in connection with Client’s own internal business activities including supporting covered medical practices and their patients. Client may download any reports or data of Client during the term of these Master Terms.
- Inbox Health is and shall remain the sole and exclusive owner of all rights, title and interest to Inbox Health’s Proprietary Software, databases and data, and all improvements, enhancements, modifications, and derivative technology to Inbox Health’s Proprietary Software, whether made on behalf of Client or not, including all copyrights and other intellectual property therein. Inbox Health reserves all rights not expressly granted to Client in these Master Terms.
- Except as expressly authorized by Inbox Health, Client shall not, and shall not allow third parties, to: (i) download or copy Inbox Health’s Proprietary Software or otherwise reproduce Inbox Health’s Proprietary Software or any portion thereof, (ii) modify, reverse engineer, decompile, disassemble, or attempt to derive the source code of Inbox Health’s Proprietary Software, (iii) permit, rent, sell, lease, assign, resell, license, sublicense, distribute or otherwise transfer the use of or access to Inbox Health’s Proprietary Software for use by third parties, (iv) use Inbox Health’s Proprietary Software for timesharing or service bureau purposes or otherwise for the benefit of a third party, or create, write or develop any derivative technology or software program based on Inbox Health’s Proprietary Software or any Confidential Information belonging to Inbox Health.
- Client recognizes that Inbox Health’s Proprietary Software has substantial monetary value and is considered a trade secret containing Confidential Information belonging to Inbox Health. Client shall ensure that any identification labels or legal notices contained in any aspect of Inbox Health’s Proprietary Software are not modified, suppressed or in any other way made inconspicuous. Client acknowledges that Inbox Health’s Proprietary Software is at times dependent upon the operating system of the device and that not all features are available on all device operating systems.
- Client will access Inbox Health’s Proprietary Software using username and passwords. User names and passwords will only be issued to employees of Client or third parties that Inbox Health approves in writing. Inbox Health reserves the right to refuse issuing user names and passwords to such third parties that Inbox Health deems to be direct competitors of Inbox Health. In addition, Client may access Inbox Health’s Proprietary Software using specific static Internet protocol (IP) addresses. Client shall be solely responsible for issuing, controlling and monitoring use of user names, passwords and static IP addresses and shall take all reasonable steps to safeguard user names and passwords and access to any such static IP address. Client shall immediately notify Inbox Health of any unauthorized disclosure or use of the passwords or access to Inbox Health’s Proprietary Software or the need to deactivate passwords and provide to Inbox Health its reasonable cooperation to remedy such unauthorized disclosure or use. Passwords are subject to cancellation or suspension by Inbox Health upon the misuse of passwords by Client.
- Solely in connection with the provision of Services hereunder and subject to the terms and conditions of these Master Terms, Inbox Health grants Client a limited, revocable, non-exclusive, non-transferable right to access and use any reports provided by Inbox Health to Client solely for Client’s internal business purposes.
- The governing law for any claim arising under these Master Terms shall be the laws of the State of Connecticut. The venue for any claim arising under these Master Terms shall be the state and federal courts located In New Haven, Connecticut. Both parties agree to personal and subject matter jurisdiction in the County of New Haven, State of Connecticut and waive any rights to bring a motion based upon jurisdiction or venue. If either Inbox Health or Client employs attorneys to enforce any rights arising out of or relating to these Master Terms, the prevailing party shall be entitled to recover its reasonable attorneys’ fees, costs and other expenses.
- Regardless of the circumstances of termination or expiration of the Master Terms, or portion thereof, the provisions of Sections 3 (Fees), 4 (Confidential Information), 8 (Limitation of Liability), 9.2, 9.3, 9.4 and 10 (General) shall survive the termination or expiration and continue according to their terms.
- No waiver of any term or condition is valid unless in writing and signed by authorized representatives of both parties. No amendment or modification to the Master Terms will be valid unless set forth in writing and signed by authorized representatives of both parties.
- Inbox Health may assign these Master Terms in connection with a merger, acquisition or sale of all or substantially all of its business related hereto. Except as expressly stated in this Section, neither party may assign its rights or obligations under these Master Terms without obtaining the other party’s prior written consent.
- Inbox Health will be excused from failures to perform the Services to the extent that Client or its agents fail to perform any relevant obligations in a timely manner or commit any other act or omission that causes Inbox Health’s failure to perform the Services. Inbox Health shall be entitled to be compensated for any additional material costs incurred as a result of any delay or failure to perform on the part of Client.
- Inbox Health retains the right, in its sole and absolute discretion, to change or add to the terms of these Master Terms at any time, and such amendments will take effect immediately as of the effective date of such change.
- Neither Inbox Health’s Proprietary Software, nor any other technical data received from Inbox Health, nor the direct product thereof, shall be exported or re-exported outside the United States except as authorized and as permitted by the laws and regulations of the United States. If Client is an agency of the U.S. Government or U.S. Government contractor or subcontractor at any tier, then the U.S. Government shall agree that use of Inbox Health’s Proprietary Software is subject to the restrictions on use as permitted by FAR S2.227-19 (June 1987) or DFARS 227.7202-3(a) (Jan. l, 2000) or successor regulations, or similar acquisition regulations of other applicable U.S. Government organizations.
- Any notice required or permitted by the Master Terms must be in writing in English and delivered by personal delivery, overnight courier, or regular, certified, or registered mail, return receipt requested, and deemed received upon personal delivery, acknowledgment of receipt of electronic transmission, the promised delivery date after deposit with overnight courier, or five (5) days after deposit in the mall. Notices shall be sent to the address set forth in the introductory clause of these Master Terms or to such other addresses as may be designated by notice from one party to the other.
- Whenever possible, each provision of these Master Terms will be interpreted in such a manner as to be effective and valid under applicable law, but if any provision of these Master Terms is found to violate a law, it will be severed from the rest of the Master Terms and ignored and a new provision deemed added to the Master Terms to accomplish, to the extent possible, the intent of the parties as evidenced by the provision so severed. The headings used in the Master Terms have no legal effect.
- Except as may be otherwise provided in the Master Terms, the rights or remedies of the parties hereunder are not exclusive, and either party is entitled alternatively or cumulatively, subject to the other provisions of the Master Terms, to damages for breach, to an order requiring specific performance, or to any other remedy available at law or in equity. Neither party or its subsidiaries or affiliates will bring a claim under these Master Terms more than two years after the cause of action arose.
- These Master Terms and the Agreement constitute the entire agreement between the parties regarding the subject matter stated herein, and supersedes all previous communications, representations, understandings, and agreements, either oral, electronic, or written. The Agreement may only be modified by a writing signed by both parties. The Agreement may be signed in one or more counterparts and delivered via facsimile or other electronic means, each of which will be deemed to be an original and all of which when taken together will constitute the same agreement.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “Agreement”) is entered into as of the date that you begin using the Inbox Health Software and agree to the Terms of Service (the “Effective Date”), by and between the Client (“Covered Entity”) and Inbox Health Corp. (“Business Associate”). Covered Entity and Business Associate, collectively, may be referred to herein as the “Parties”.
ARTICLE 1 INTRODUCTION
1.1 Covered Entity and Business Associate enter into this Agreement to comply with the requirements of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164, as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”), as amended, and other applicable federal and state laws (collectively the “HIPAA Rules”).
1.2 This Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for certain individually identifiable Protected Health Information relating to patients of Covered Entity (“PHI” as that term is defined below) that Business Associate may receive, create, maintain, use or disclose in connection with certain functions, activities and services that Business Associate performs for Covered Entity. The functions, activities and services that Business Associate performs for Covered Entity are defined in one or more agreements between the Parties (the “Underlying Agreements”).
ARTICLE 2 DEFINITIONS
2.1 Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules, which definitions are incorporated in this Agreement by reference
2.2 For purposes of this Agreement:
2.2.1 “Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, as applied to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity
2.2.2 “Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.2.3 “Protected Health Information” or “PHI” shall have the meaning given to such term in 45 C.F.R. 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
2.2.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information published in 45 C.F.R. Parts 160 and 164, Subparts A and E.
2.2.5 “Required by Law” shall have the meaning given to such term in 45 C.F.R. 164.103. 2.2.6 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2.2.7 “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Use and Disclosure. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law. To the extent Business Associate is carrying out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement or this Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
3.2 Appropriate Safeguards. Business Associate shall use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement or as Required by Law.
3.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this Agreement’s requirements or that would otherwise cause a Breach of Unsecured PHI.
3.4 Breach Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
3.5 Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of the Business Associate for services provided to Covered Entity, which provides that the agent agrees to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information
3.6 Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set to the Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.7 Minimum Necessary Requirement. Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. § 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
3.8 Amendment of PHI. Business Associate agrees to make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526. If an Individual makes a request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.9 Accounting of Disclosures. Business Associate shall provide to Covered Entity information collected in accordance with Section 3.11 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.10 Access to Policies and Records. Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of Covered Entity or the Secretary determining compliance with the HIPAA Rules.
3.11 Documentation of Disclosures. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure, and (v) any additional information required under the HITECH Act and any implementing regulations.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
4.1 General Uses and Disclosures. Business Associate agrees to receive, create, use or disclose PHI only as permitted by this Agreement, the HIPAA Rules, and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule if done by Covered Entity, except as set forth in this Article 4.
4.2 Business Associate may use or disclose PHI as Required By Law.
4.3 Except as otherwise provided in this Agreement, Business Associate may:
4.3.1 Use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities.
4.3.2 Disclose PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains prior written reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, in accordance with the breach notification requirements of this Agreement.
4.3.3 Use PHI to provide Data Aggregation Services to Covered Entity as permitted under the HIPAA Rules.
ARTICLE 5 OBLIGATIONS OF COVERED ENTITY
5.1 Covered Entity shall:
5.1.1 Notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
5.1.2 Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.1.3 Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose his or her PHI, to the extent that such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI.
5.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Covered Entity, except as provided under Article 4 of this Agreement.
TERM AND TERMINATION
6.1 Term. This Agreement shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
6.1.1 Either party terminates for cause as authorized under Section 6.2.
6.1.2 All PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is determined, to be infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 6.3.
6.2 Termination for Cause. Upon Covered Entity’s knowledge of material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within the timeframe specified by Covered Entity, or if a material term of this Agreement has been breached and a cure is not possible, Covered Entity may terminate this Agreement and the Underlying Agreement(s), if any, upon written notice to Business Associate.
6.3 Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
6.3.1 Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
6.3.2 Return to Covered Entity or, if agreed to by Covered Entity in writing, destroy the remaining PHI that the Business Associate still maintains in any form;
6.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 6, for as long as Business Associate retains the PHI;
6.3.4 Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI;
6.3.5 Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
ARTICLE 7 MISCELLANEOUS
7.1 Amendment. The Parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the HIPAA Rules and any other applicable law.
7.2 Survival. The respective rights and obligations of Business Associate under Article 6 of this Agreement shall survive the termination of this Agreement.
7.3 Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or amended.
7.4 Interpretation. This Agreement shall be interpreted in the following manner:.
7.4.1 Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
7.4.2 Any inconsistency between the Agreement’s provisions and the HIPAA Rules, including all amendments, as interpreted by the Department of Health and Human Services, court or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the Department of Health and Human Services, the court or the regulatory agency.
7.4.3 Any provision of this Agreement that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
7.5 Entire Agreement, Severability. This Agreement constitutes the entire agreement between the Parties related to the subject matter of this Agreement, except to the extent that the Underlying Agreement(s), if any, impose more stringent requirements related to the use and protection of PHI upon Business Associate. This Agreement supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
7.6 Assignment. This Agreement will be binding on the successors and assigns of Covered Entity and Business Associate. However, this Agreement may not be assigned by Business Associate, in whole or in part, without the written consent of Covered Entity. Any attempted assignment in violation of this provision shall be null and void.
7.7 Multiple Counterparts.
This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
7.8 Governing Law.
Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state in which the Covered Entity’s principal place of business is located.
The Parties hereto have executed this Agreement as of the Effective Date on all related contracts.