SUBSCRIPTION TERMS AND CONDITIONS
THESE SUBSCRIPTION TERMS AND CONDITIONS are a binding agreement (the “Agreement”) by and between Therasoft® Online, Inc., a Washington corporation (“Therasoft®”) and the person or entity indicated as the customer (“Licensee”) in an Order for, and the owner and each user of each computer or other device (an “Electronic Device”) which accesses and or interacts with, the Therasoft® hosted practice management application service for therapists designated in one or more Order(s) accepted by Therasoft® (the “Service”). The supporting documentation and materials embedded in the Service or obtained electronically or on Media from Therasoft® are referred to as the “Documentation”). The Service and the Documentation are collectively referred to as the “Licensed Materials”. This Agreement shall be effective on the date Therasoft® accepts an Order from Licensee (the “Effective Date”). As used in this Agreement: “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended from time to time; “HITECH” means the Health Information Technology for Economic and Clinical Health Act; “HIPAA Regulations” means the regulations promulgated pursuant to HIPAA and HITECH; and “Media” means any object which can record information in a form that can be transferred into an Electronic Device.
Subject to the terms and conditions of this Agreement, the Licensed Materials are licensed, not sold, to Licensee by Therasoft®. Therasoft® grants to Licensee, and Licensee accepts from Therasoft®, a non-exclusive, non-transferable, revocable license to Use the Licensed Materials for the Term. The Licensed Materials may not be Used by more than the cumulative number of users, including Contractors and Affiliate personnel, specified on all Orders accepted by Therasoft® (the “Providers”). “Order” means any mutually acceptable means of procuring licenses or services from Therasoft®, including web based registration and electronic or paper forms. Licensee may make a limited number of copies of the Documentation sufficient to support Licensee’s Use of the Service as permitted by this Agreement. “Use” means that Licensee, Affiliates, and Contractors may, during the Term, access, run, and interact with the Licensed Materials in accordance with the Documentation for Licensee’s internal business use and not as a service offered to third parties. Contractors may Use the Licensed Materials during the Term solely for the benefit of Licensee or an Affiliate and not for the benefit of any other customer or client of Contractor and only for as long as Contractor is providing services to Licensee or an Affiliate during the Term. As used in this Agreement, “Affiliate” means any entity directly or indirectly controlling, controlled by, or under common control with Licensee; “control” means ownership of at least 50% of the equity or beneficial interests of such entity; and “Contractor” means an independent contractor performing services for Licensee or an Affiliate. Licensee is responsible for ensuring all Contractors and Affiliates comply with all relevant terms of this Agreement and any failure to comply will constitute a breach by Licensee.
Licensee’s right to Use the Licensed Materials shall commence upon the Effective Date and continue for the term specified on the Order (the “Initial Term”). Licensee may renew Licensee’s right to Use the Licensed Materials for successive one year terms after the Initial Term (each a “Renewal Term”) by placing an Order for a Renewal Term or paying the renewal invoice by the invoice Due Date. As used in this Agreement, “Term” means the Initial Term and any Renewal Term.
To facilitate access to the Licensed Materials, Therasoft® will assign a URL and default administrator login credentials (“Login Credentials''). Licensee shall be responsible for assigning user names and passwords to all personnel that will access the Licensed Materials. Licensee is responsible for the security of the Login Credentials and the user names and passwords and all activities conducted using those credentials and usernames and passwords.
Licensed Materials. Licensee is not acquiring any right or interest in the Licensed Materials except the limited license granted above to Use the Licensed Materials for the Term, on and subject to the terms of this Agreement. Therasoft® reserves all rights not expressly granted to Licensee and retains title and full ownership of the Licensed Materials and all intellectual property rights therein, under all applicable laws of the United States and any other applicable state or foreign laws. Therasoft® is not obligated to provide, and Licensee acquires no right of any kind with respect to, any source code for the software elements of the Licensed Materials, nor does Licensee have any right to possess the object code for any software elements of the Licensed Materials. Except as expressly permitted by this Agreement, Licensee may not: (a) sublicense, transfer, or otherwise assign its rights in the Licensed Materials to any third-party nor allow any third-party to access or use the Licensed Materials; (b) modify, create derivative works of, translate, reverse engineer, de-compile, or disassemble the Licensed Materials or the software elements of the Licensed Materials to develop any other computer program or for any other reason; or (c) copy the Licensed Materials or the software elements of the Licensed Materials, in whole or in part, without the prior written consent of Therasoft®. The original and all copies of the Licensed Materials and the software elements of the Licensed Materials remain the sole property of Therasoft®, subject to all of the confidentiality and other restrictions set forth in this Agreement. Licensee must retain all legends relating to copyright, trademarks, patents, or confidentiality on all copies of the Documentation or any print of a screen display from the Licensed Materials. Licensee acknowledges that Therasoft® may analyze Licensee’s usage of the Licensed Materials for product support, product development, and administrative purposes, including confirmation of use of the Licensed Materials in compliance with the terms of this Agreement.
Licensee Data. Licensee shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership of, and the right to use, all data, information, or material that is submitted to the Service (“Licensee Data”). Each submission of Licensee Data to the Service constitutes Licensee’s representation that all procedures, tests, and other work entered into the Service have been performed by Licensee and that Licensee has obtained all licenses, permissions, and consents necessary to submit the Licensee Data for use as contemplated in this Agreement. Licensee grants Therasoft® an irrevocable, world-wide, royalty free, perpetual, license and right to access, extract, process, analyze, aggregate, and store Licensee Data to the extent reasonably necessary to provide the Service, to prepare information, reports, relating to the Service, to aggregate Licensee Data with similar data from other Therasoft® customers (“Aggregated Data”), and to prepare reports, analysis, and information from aggregated data. Therasoft® will have the right to transfer, sell, and otherwise use the aggregated information subject only to restrictions imposed by the HIPAA Privacy Rule.
De-Identified Transaction Data. Pursuant to the “Licensee Data” Section above, the Licensee grants Therasoft® a license during the Term to possess and process Raw the Licensee Data. Licensee acknowledges and agrees that Therasoft® will process the Licensee Data and create a de-identified, within the meaning of 45 CFR 164.514(b)(2)(i), transaction file (the “De-identified Transaction Data”), in the course of providing the Service. Therasoft® shall own De-identified Transaction Data and all intellectual property rights therein.
Feedback. Licensee may provide suggestions, comments or other feedback (collectively, “Feedback”) concerning the Licensed Materials. Feedback is voluntary. Therasoft® may use Feedback for any purpose without obligation of any kind. To the extent a license is required under Licensee’s intellectual property rights to make use of the Feedback, Licensee grants Therasoft® an irrevocable, non-exclusive, perpetual, fully-paid-up, royalty-free license to use the Feedback in connection with Therasoft®’s business, including the enhancement of our products and services.
By virtue of this Agreement, Therasoft® may be a Business Associate of Licensee and subject to HIPAA, HITECH, and the HIPAA Regulations. Therasoft® and Licensee shall execute a mutually acceptable Business Associate Agreement in compliance with HIPAA which shall set forth the obligations of Therasoft® under HIPAA, HITECH, and the HIPAA Regulations.
Maintenance and Support Services. During the Term, Therasoft® will provide the services described below (“Support”), provided the Service Fee is paid by Licensee and Therasoft® then provides Support for the Licensed Materials generally.
Support. Therasoft® will furnish to Licensee an email address for use by Licensee at any time, to report problems with the Licensed Materials and to seek assistance to resolve such problems.
Training and Telephone Support. Therasoft® will furnish to Licensee a telephone number for use by Licensee Monday through Friday, from 8:00 a.m. to 5:00 p.m. Eastern Time, United States holidays excluded, to obtain training on the Service and report problems with the Licensed Materials and to seek assistance to resolve such problems.
Error Correction. Therasoft® will use reasonable efforts to correct Errors in the Service. An “Error” is a verifiable and reproducible failure of the Service (or any component hereof) to substantially conform to the description of the Service (or any component thereof) in the Documentation. Within a reasonable period of time after confirming that an Error exists by reproducing or observing the Error described by Licensee, Therasoft® will initiate work in a diligent and sustained manner toward development of an Error Correction. An “Error Correction” is a modification to the Service that establishes substantial conformity of the Service to the Documentation, or a procedure or routine that, when included in the regular operation of the Service, eliminates the practical adverse effect on Licensee of such non-conformity. Therasoft® shall not be responsible for correcting Errors resulting from misuse, negligence, revision, modification, or improper use of the Service or any use in combination with software application service not supported by Therasoft®.
Response. Therasoft® will use all reasonable efforts to respond to all support issues with twenty-four (24) hours of notification of such support issues, excluding weekend days and holidays.
Licensee Representative. Therasoft® shall provide Support only to the Licensee Representative.
Licensee shall: (a) designate a representative of Licensee (the “Licensee Representative”), whose name is set forth in an Order or subsequently changed by notice to Therasoft®, and who shall be authorized to make decisions, approve plans, grant requests on behalf of Licensee, and receive notices from Therasoft®, and (b) fully cooperate with Therasoft® by, among other things, making available as reasonably required by Therasoft®, management decisions and personnel in order that the work of Therasoft® contemplated hereby may be properly accomplished during the Term. Licensee hereby authorizes Therasoft® to rely on all communications from and decisions of the Licensee Representatives. Except as otherwise expressly provided in this Agreement, Licensee shall be responsible for the provision of all goods and services required to install and operate the Service.
Licensee assumes sole responsibility for use of the Login Credentials. If Login Credentials are misappropriated, Licensee shall notify Therasoft® support staff immediately by telephone and shall concurrently provide written notice to Therasoft® whereupon Therasoft® will disable the Login Credentials reported by Licensee and issue replacement Login Credentials.
Licensee agrees to use the Service and Licensed Materials only for lawful purposes and in a manner that complies with all applicable laws in the jurisdictions in which they are used or accessed.
Licensee acknowledges that Therasoft® will transmit portions of Licensee Data to third parties for claims processing and other services as necessary to provide the Service. License consents to the onward transfer of all portions of Licensee Data necessary, required, or convenient for Therasoft® to perform its obligations under this Agreement.
FEES AND PAYMENT
Fees. The monthly fee for Use of the Service (the “Service Fee”) during the Initial Term and any Renewal Term is based upon the number of providers, the per provider pricing specified on all applicable Orders. On thirty (30) days’ prior written or electronic notice to Licensee prior to the commencement of any Renewal Term, Therasoft® may increase the Service Fee. Any services requested by Licensee for which the fees are not set forth on an Order will be billed at Therasoft®’s then prevailing time and material rates. Unless Therasoft® otherwise agrees in writing, all amounts are billed in US Dollars, net of any and all foreign, federal, state, or local taxes, including without limitation, sales taxes, use taxes, VAT, excise taxes, duties, and import taxes (collectively, “Taxes”). Licensee is responsible for, and must pay, any and all Taxes (other than Taxes based on Therasoft® 's income) imposed in connection with the Licensed Materials and any other services provided in connection with this Agreement, if applicable. Licensee will promptly reimburse Therasoft® for the amount of any Taxes that Therasoft® is required to pay on behalf of Licensee or as a result of Licensee's failure to pay such Taxes.
Adding Providers. Licensee may increase the number of Providers addressed by the Service by submitting an Order. The increase in the number of Providers will be subject to the following: (a) the Initial Term for the additional Providers will commence on the date the Order is accepted by Therasoft® and (b) the Service Fee for the additional Providers will be as specified in the Order. Therasoft® reserves the right to make the Initial Term of any Order increasing the number of Providers co-terminus with the Initial Term or Renewal Term related to the registration page or to make the Initial Term or Renewal Term related to the registration page co-terminus with the Initial Term of any Order increasing the number of Providers.
Payment Terms. Invoices are payable in full without deduction or setoff, in US Dollars upon receipt or such later date as may be specified in the invoice (the “Due Date”). Interest shall accrue from the Due Date on all amounts unpaid more than thirty days after the Due Date at the rate of one and one-half percent (1-1/2%) per month. If Licensee believes an invoice or charge is incorrect, Licensee must contact Therasoft® in writing within 30 days of the invoice date or charge to be eligible to receive an adjustment or credit.
Verification of Usage. Therasoft® reserves the right to verify that Licensee’s Use of the Service has not exceeded the cumulative number of Providers under the registration page and all Orders accepted by Therasoft®. If Therasoft® determines that Licensee’s Use of the Service has exceeded the cumulative number of Providers under the registration page and all Orders accepted by Therasoft®, Therasoft® shall so notify Licensee in writing (such Notice is a “Deficiency Notice”), and Licensee shall submit a Order for a sufficient number of Providers to establish compliance with the terms of this Agreement within thirty (30) days after receipt of the Deficiency Notice.
DISCLAIMER OF WARRANTIES
- THE LICENSED MATERIALS ARE PROVIDED TO THE LICENSEE ON AN “AS IS” AND “AS AVAILABLE” BASIS WITH NO WARRANTY;
- THERASOFT® DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE LICENSED MATERIALS AND SUPPORT AND THE AVAILABILITY OF THE SERVICE, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, QUALITY OF INFORMATION, AND TITLE/NONINFRINGEMENT.
- THERASOFT® DOES NOT WARRANT THAT THE LICENSED MATERIALS MEET LICENSEE’S REQUIREMENTS; WILL BE AVAILABLE WHEN NEEDED; ARE FREE FROM BUGS, VIRUSES, ERRORS, OR OTHER PROGRAM LIMITATIONS; THE ACCURACY OR RELIABILITY OF ANY INFORMATION OBTAINED THROUGH THE LICENSED MATERIALS; OR THAT DEFECTS IN THE LICENSED MATERIALS WILL BE CORRECTED.
- THERASOFT® ASSUMES NO RESPONSIBILITY FOR THE TIMELINESS, DELETION, MIS-DELIVERY, OR FAILURE TO STORE ANY OF LICENSEE’S COMMUNICATIONS, DATA, OR PERSONALIZATION SETTINGS.
- LICENSEE AGREES THAT THE USE OF THE LICENSED MATERIALS FOR ANY PURPOSE RELATED TO PATIENT CARE MUST NOT BE SUBSTITUTED FOR LICENSEE’S PROFESSIONAL SKILL AND JUDGMENT. LICENSEE ACKNOWLEDGES THAT THERASOFT® IS AND SHALL BE IN NO WAY RESPONSIBLE FOR THE ACCURACY OF ANY MEDICAL INFORMATION CONTAINED IN, ENTERED INTO OR USED IN CONNECTION WITH THE LICENSED MATERIALS, AND LICENSEE WILL INDEPENDENTLY VERIFY THE ACCURACY AND COMPLETENESS OF SUCH INFORMATION. IN NO EVENT SHALL THERASOFT® BE LIABLE TO LICENSEE’S PATIENTS, INCLUDING WITHOUT LIMITATION, FOR ANY DAMAGES RELATING TO ANY PERSONAL INJURY OR LOSS OF LIFE CLAIMS.
LICENSEE REPRESENTS AND WARRANTS TO THERASOFT® THAT THE PERSON THAT COMPLETES AND SUBMITS THE REGISTRATION PAGE AND ANY ORDER IS DULY AUTHORIZED TO BIND LICENSEE TO THE TERMS OF THIS AGREEMENT AND THAT THIS AGREEMENT IS LEGAL, VALID, AND BINDING OBLIGATION OF LICENSEE, ENFORCEABLE AGAINST LICENSEE IN ACCORDANCE WITH ITS TERMS.
INTERNET DELAYS AND SECURITY
THERASOFT®’S SERVICE MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. THERASOFT® IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS.
THE SERVICES MAY BE USED TO ACCESS AND TRANSFER INFORMATION OVER THE INTERNET. LICENSEE ACKNOWLEDGES AND AGREES THAT THERASOFT® DOES NOT OPERATE OR CONTROL THE INTERNET AND THAT: (I) VIRUSES, WORMS, TROJAN HORSES, OR OTHER UNDESIRABLE DATA OR SOFTWARE; OR (II) UNAUTHORIZED USERS (E.G., HACKERS) MAY ATTEMPT TO OBTAIN ACCESS TO AND DAMAGE LICENSEE’S SYSTEMS, NETWORKS, AND DATA. THERASOFT® WILL NOT BE RESPONSIBLE FOR THOSE ACTIVITIES.
“Therasoft® Confidential Information” means all business or technical information of Therasoft® that is not generally known to the public and that derives value from not being generally known, whether such information is disclosed orally or in writing. Licensee acknowledges and agrees that the Licensed Materials, the pricing and terms of this Agreement, the product road map of the Service, Aggregated Data, and any source code, object code, proprietary tools, knowledge, or methodologies disclosed by Therasoft® to Licensee in connection with this Agreement or the use the of the Service are Therasoft® Confidential Information.
Licensee agrees that it will not use, disclose, provide, or otherwise make available any Therasoft® Confidential Information except on a need to know basis in connection with the Use of the Licensed Materials as authorized under this Agreement. Licensee agrees that it will obtain a written confidentiality agreement from each third party (consultant or any other person) not governed by this Agreement who is provided access to the Therasoft® Confidential Information. Licensee shall use all reasonable efforts to protect the Therasoft® Confidential Information from any use, reproduction, publication, disclosure, or distribution not specifically authorized by this Agreement. Licensee shall promptly notify Therasoft® of any known unauthorized use or disclosure of the Therasoft® Confidential Information and will cooperate with Therasoft® in any litigation brought by Therasoft® against third parties to protect Therasoft®’s rights in Therasoft® Confidential Information.
The Licensee's obligations under this Agreement will not apply to any portion of the Therasoft® Confidential Information that: (a) at the time of disclosure to Licensee, was in the public domain or subsequently becomes a part of the public domain through no breach of this Agreement; (b) Licensee had in its possession at the time of disclosure by Therasoft®, as established by written documentation in existence at that time, and that was not acquired directly or indirectly from Therasoft® or with knowledge of confidentiality restrictions; (c) Licensee subsequently acquires by lawful means from a third-party who is under no obligation of confidentiality or non-use owed to Therasoft®; or (d) Licensee subsequently independently develops without any use of or reference to the Therasoft® Confidential Information.
If Licensee is legally compelled to disclose any portion of the Therasoft® Confidential Information in connection with a lawsuit or similar proceeding or to any governmental agency, Licensee will, unless precluded by the applicable process, give Therasoft® prompt notice of that fact, including in its notice the legal basis for the required disclosure and the nature of the Therasoft® Confidential Information that must be disclosed. Licensee will cooperate fully with Therasoft® in obtaining a protective order or other appropriate protection relating to the disclosure and subsequent use of the Therasoft® Confidential Information. Licensee will disclose only that portion of the Therasoft® Confidential Information that is legally required to be disclosed.
Licensee shall indemnify, defend, and hold harmless Therasoft®, its Affiliates, and its and their directors, officers, employees, licensors, suppliers, vendors, and agents (the “Therasoft® Indemnitees”) from and against any losses, liabilities, fines, sanctions, damages, costs, and expenses, including without limitation reasonable attorneys’ fees (collectively, “Losses”) arising out of or related to any third party claim that is based upon or alleges (a) a breach of Licensee’s obligations in respect of Therasoft® Confidential Information, (b) the presence of harmful code in Licensee Data, (c) the misuse of Licensee Data, (d) Licensee’s use of the Services; (e) Licensee’s breach of this Agreement; or (f) personal injury or property damage caused by the gross negligence or willful misconduct of Licensee in connection with the Service (each a “Claim”), provided, however, that such indemnification shall not apply with respect to any Claims caused by Therasoft®’s gross negligence or willful misconduct.
Procedures for Claims. Therasoft® agrees to give Licensee prompt written notice of any Claim for which Therasoft® seeks indemnification, provided however, any failure by Therasoft® to timely provide such notice will not relieve Licensee of its indemnification obligations except to the extent Licensee can demonstrate actual prejudice as a result of such failure. Within thirty (30) days after receiving Therasoft®’s notice of a Claim, but no later than ten (10) days before the date on which any formal response to the Claim is due, Licensee will notify Therasoft® in writing acknowledging its indemnification obligation and assuming control of the defense and settlement of the Claim (a “Notice of Election”). If Licensee delivers a timely Notice of Election to Therasoft®, Licensee shall have sole control over the defense and settlement of the Claim. Therasoft® shall cooperate with Licensee in the defense of the Claim. Therasoft® will have the right to participate with Licensee in the defense or appeal of any Claim, at Therasoft®’s option and at Therasoft®’s own expense (such expense not being indemnified by Licensee), but Licensee will have sole control and authority with respect to any such defense, compromise, settlement, appeal, or similar action, provided that Licensee obtains Therasoft®’s prior written consent to any settlement that requires Therasoft® to make any admission of fault or pay any amounts in connection with such settlement. If Licensee does not deliver a timely Notice of Election or does not conduct the defense of a Claim after delivering a timely Notice of Election, Therasoft®may defend and/or settle the Claim in such manner as it may deem appropriate, at the cost and expense of Licensee, including payment of any settlement, judgment or award and the costs of defending or settling the Claim. Licensee will promptly reimburse the Therasoft® upon demand for all Losses suffered or incurred as a result of or in connection with the applicable Claim.
LIMITATION OF LIABILITY
IN NO EVENT WILL THERASOFT®, ITS SUBSIDIARIES, OR ANY OF THE LICENSORS, DIRECTORS, OFFICERS, EMPLOYEES, OR AFFILIATES OF THERASOFT® OR ITS SUBSIDIARIES BE LIABLE TO LICENSEE OR AFFILIATES OF LICENSEE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY, PRODUCT LIABILITY, OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, OR SPECIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OR RECONSTRUCTION OF DATA, AND THE LIKE), WHETHER FORESEEABLE OR UNFORESEEABLE, OR FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS, TECHNOLOGY, OR SERVICES, REGARDLESS OF THE BASIS OF THE CLAIM AND EVEN IF THERASOFT® OR A THERASOFT® REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE AND EVEN IF A REMEDY SET FORTH IN THIS AGREEMENT IS FOUND TO HAVE FAILED ITS ESSENTIAL PURPOSE. IN NO EVENT WILL THERASOFT®’S CUMULATIVE LIABILITY FOR DAMAGES FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, EVER EXCEED THE AMOUNTS PAID BY LICENSEE PURSUANT TO THIS AGREEMENT IN THE 12 MONTH PERIOD ENDED ON THE DATE SUCH CLAIM AROSE. THE LIMITATION UPON DAMAGES AND CLAIMS IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN THERASOFT® AND LICENSEE. THERASOFT® WOULD NOT HAVE PROVIDED THE LICENSED MATERIALS WITHOUT SUCH LIMITATIONS.
By Licensee. Licensee may terminate this Agreement: (i) if Therasoft® shall materially breach the provisions of this Agreement, which breach is not cured within thirty (30) days after Therasoft®’s receipt of written notice from Licensee, or (ii) by giving Therasoft® written notice at least ninety (90) days prior to the end of the Initial Term or any Renewal Term of this Agreement.
By Therasoft®. Therasoft® may terminate this Agreement and the License granted hereunder effective upon delivery of written notice to Licensee if: (i) Licensee shall not pay when due any sum owed hereunder and such non payment continues for more than twenty (20) days after written notice from Therasoft®, (ii) Licensee shall breach any provision of this Agreement which breach continues for more than twenty (20) days after written notice from Therasoft®, or (iii) Licensee shall become insolvent or shall make an assignment for the benefit of its creditors or there shall be filed by or against Licensee any bankruptcy, receivership, reorganization, or other like proceeding under any present or future debtor relief law. Therasoft® may discontinue providing the Service effective on any annual renewal date, upon 180 days prior written notice.
Effect of Termination. Service Fees are non-refundable. Upon any termination of this Agreement, Licensee must immediately cease all Use of the Licensed Materials and delete all copies of the Licensed Materials from any Electronic Device and all Media on which the Licensed Materials are then resident. Licensee shall certify to Therasoft® in writing that it has complied with the preceding sentence. The provisions of this Agreement labeled Limitation of Liability and Confidentiality shall survive the expiration or termination of this Agreement. Therasoft® will retain Licensee Data for sixty (60) days after termination of this Agreement (the “Data Retention Period”). Upon Licensee’s written request Therasoft® shall provide Licensee a back-up copy of Licensee Data. Following the Data Retention Period, Therasoft® may delete Licensee Data from any Electronic Device and all Media on which Licensee Data is present without notice.
Licensee acknowledges and agrees that the Licensed Materials are subject to restrictions and controls imposed by United States law. Licensee represents and warrants that Licensee is not (a) located in an embargoed country as designated by the Office of Foreign Asset Control of the Treasury Department (an “Embargoed Country”), or (b) listed on the prohibited persons list maintained by the Bureau of Industry and Security of the Department of Commerce (the “Prohibited Persons List”). Licensee will not re-export the Licensed Materials to any person located in an Embargoed Country or listed on the Prohibited Persons List.
The Licensed Materials are a "commercial item," as that term is defined at 48 C.F.R. 2.101 (OCT 1995), consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and the Department of Defense Federal Acquisition Regulations Sections 252.227-7014 (a) (1), (5). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227-7202-1 through 227-7202-4 (JUNE 1995), all U.S. Government End Users acquire the Licensed Materials with only those rights set forth in this Agreement. The Contractor/manufacturer is Therasoft®, 1420 5th Ave Ste 2200, Seattle WA 98101.
Assignment. Licensee may not assign or transfer its rights and obligations under this Agreement without the prior written consent of Therasoft® and, any purported assignment or transfer without the prior written consent of Therasoft® shall be null and void.
Amendments. Therasoft® may amend this Agreement at any time, or from time to time, by posting a new Agreement on Therasoft®’s web site, which shall be effective ten (10) days after the new Agreement is posted on Therasoft®’s website or when Licensee is notified of such amendment by Therasoft® by notice to the Licensee Representative, whichever occurs first.
Force Majeure. Neither party shall be in default by reason of any failure in performance of this Agreement if such failure arises, directly or indirectly, out of causes reasonably beyond the direct control or foreseeability of such party, including but not limited to, acts of God or of the public enemy, U.S. or foreign governmental acts in either a sovereign or contractual capacity, fire, flood, epidemic, restrictions, strikes, and/or freight embargoes.
No Waiver. Any failure by either party to detect, protest, or remedy any breach of this Agreement shall not constitute a waiver or impairment of any such term or condition, or the right of such party at any time to avail itself of such remedies as it may have for any breach or breaches of such term or condition. A waiver may only occur pursuant to the prior written express permission of an authorized officer of the other party.
Severability. If any provision hereof is declared invalid by a court of competent jurisdiction, such provision shall be ineffective only to the extent of such invalidity, so that the remainder of that provision and all remaining provisions of this Agreement will continue in full force and effect.
Headings. Headings used in this Agreement are for convenience only and shall not be considered in construing or interpreting this Agreement.
Governing Law. This Agreement and the rights of the parties hereunder shall be governed by and construed in accordance with the laws of the State of Washington, without regard to the conflicts of laws provisions thereof. Any action arising under or in connection with this Agreement may be brought in any appropriate state court sitting in King County, Washington or in any federal court sitting in the King county (Seattle Division)(collectively, the “Permitted Courts”) and the parties: (a) consent to the jurisdiction of the Permitted Courts in such actions and (b) agree not to plead or claim that such litigation brought in the Permitted Courts has been brought in an inconvenient forum. In any suit, arbitration, mediation, or other proceeding to enforce any right or remedy under this Agreement or to interpret any provision of this Agreement, the prevailing party will be entitled to recover its costs, including reasonable attorneys’ fees, and all costs and fees incurred on appeal or in a bankruptcy or similar action. The parties expressly exclude all applications of the United Nations Convention on the International Sale of Goods to this Agreement.
Entire Agreement. This Agreement and the Orders accepted by Therasoft® constitute the final, complete, and exclusive statement of the agreement between Therasoft® and Licensee in respect of the subject matter hereof and thereof, and supersede and replace all previous written or oral agreements, proposals, RFP responses, and representations. The parties acknowledge that there are no contemporaneous side-letters, or oral agreements, or other arrangements that contradict, alter, or otherwise serve to modify any of the terms set forth in this Agreement. The terms and conditions of this Agreement will control over any contradictory or additional terms and conditions in any request for proposal, proposal, purchase order, or other written form. Licensee acknowledges that Therasoft® objects to all pre-printed terms and conditions on, or attached to, Licensee’s purchase orders and that such pre-printed terms and conditions shall be of no force or effect. This Agreement has been accepted by Therasoft® in Atlanta, GA. Therasoft® and Licensee agree that this Agreement constitutes a written agreement and that each Order shall be subject to, and governed by, the terms of this Agreement as if this Agreement were reproduced, or incorporated by reference, in such Order. Nothing in this Agreement shall supersede any prior confidentiality agreement or, if applicable, any enterprise or master license agreement between Therasoft® and Licensee.
Notices. Notices given by Therasoft® will be sent to the e-mail address or mailing address on the registration page. Notices given by Licensee to Therasoft® must be given by e-mail to legal@Therasoft.com or such updated address as Therasoft® may provide. Notice sent to the e-mail or conventional mailing address last provided by the Licensee Representative to Therasoft® shall be effective, valid, and binding regardless of whether such address has been changed, canceled, has expired, has been terminated, or otherwise becomes inoperative.
Publicity. Licensee agrees that Therasoft® may include identification of Licensee as a customer on Therasoft®'s website, provided that the identification of Licensee is no more prominent than the identification of Therasoft®'s other customers and is otherwise consistent with Therasoft®'s practice of identifying its customers on its website.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is made this ____ day of ___________, 2015, by and between _________________________________________ (“Covered Entity”), and Therasoft® Online, Inc., a Washington corporation (“Business Associate”) (collectively, the “Parties”).
WHEREAS, the Parties have entered into one or more Services Agreement (as defined below), under which Business Associate has agreed to provide certain services on behalf of Covered Entity, which involves the disclosure of Protected Health Information from Covered Entity and will require Business Associate to have the use, receipt, or access to Covered Entity’s Protected Health Information (the “Services”) to perform the Services; and
WHEREAS, Covered Entity is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HIPAA”), subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009 (“HITECH”) and the implementing regulations promulgated thereunder from time to time by the U.S. Department of Health and Human Services (“HHS”), including but not limited to the Privacy, Security, Breach Notification and Enforcement Rules set forth in 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Regulations”); and
WHEREAS, the HIPAA Regulations require Covered Entity to enter into a contract with Business Associate in order to provide for certain protections for the privacy and security of Protected Health Information, and to prohibit the disclosure to or use of Protected Health Information by Business Associate if such a contract is not in place; and
WHEREAS, the Parties desire to enter into this Agreement to govern the terms and conditions under which Business Associate may use, receive or access Covered Entity’s Protected Health Information to provide the Services, in accordance with HIPAA and the HIPAA Regulations.
NOW, THEREFORE, in consideration of the foregoing, each intending to be legally bound, the Parties agree as follows:
Section 1. Definitions. The following terms used in this Agreement shall have the same meanings as those terms in the HIPAA Regulations: Breach, Data Aggregation, Designated Record Set, Disclose or Disclosure, Health Care Operations, Individual, Minimum Necessary, Payment, Protected Health Information, Required by Law, Security Incident, Subcontractor, Treatment, Unsecured Protected Health Information, and Use.
- (a) Specifically, Protected Health Information (“PHI”) means any information, whether oral or recorded in any form or medium, that relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes Electronic Protected Health Information (“ePHI”).
- (b) “Services Agreement” shall mean any present or future agreements, either written or oral, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of Protected Health Information. The Services Agreement is amended by and incorporates the terms of this Addendum.
- (c) Other terms used, but not otherwise defined in this Agreement shall have the same meanings as those terms in the HIPAA Regulations.
Section 2. Obligations of Business Associate.
2.1 Permitted Uses and Disclosures of Protected Health Information. Business Associate may use and disclose PHI received from and made available from Covered Entity or created by Business Associate on behalf of Covered Entity, only as necessary to perform the Services and as otherwise authorized by Covered Entity, provided that such use and disclosure would be permitted under state and federal confidentiality laws if done by Covered Entity, or as otherwise required by law or regulation. Business associates may use or disclose protected health information as required by law. All other uses and disclosures not authorized by this Agreement are prohibited, without obtaining written authorization from Covered Entity. Notwithstanding the foregoing, Business Associate may use or disclose PHI for the specific uses and disclosures set forth below:
- (a) Management and Administration. Business Associate may use and disclose PHI for the proper management and administration of Business Associate, or to carry out legal responsibilities of the Business Associate, provided that any disclosure is required by law, or Business Associate obtains reasonable assurances in writing from the person to whom the PHI is disclosed (i) that the PHI will remain confidential and will be used or further disclosed only for the purposes for which it was disclosed to the person; and (ii) the person is obligated to notify Business Associate (who will notify Covered Entity) of any instances of which it is aware in which the confidentiality of the PHI has been breached.
- (b) Minimum Necessary. Business Associates may make uses and disclosures and requests for PHI consistent with 45C.F.R.164.502(b)(1). Business Associate agrees to use and disclose the minimum necessary PHI to accomplish tasks.
- (c) De-Identification of PHI. Business Associates may use PHI to de-identify the PHI in accordance with 45 C.F.R. 164.514(a)-(c). Without limiting the generality of the foregoing, Business Associate may de-identify and aggregate PHI for its own use, and may use and disclose such de-identified PHI as permitted under applicable law. PHI de-identified by Business Associate at the request of Covered Entity shall be owned by Covered Entity. All other de-identified PHI shall be owned by Business Associate, provided that Covered Entity shall not be limited or prevented in creating and using its own de-identified PHI, whether de-identified by Covered Entity, Business Associate or a third party.
- (d) Except as otherwise expressly limited in this Exhibit, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by § 164.504(e)(2)(i)(B) of the HIPAA Regulations.
2.2 Security Rule Compliance. Business Associate shall establish, implement and maintain appropriate administrative, physical and technical safeguards in accordance with Subpart C of 45 C.F.R. Part 164 (the “Security Rule”) that reasonably and appropriately protect the confidentiality, integrity, and availability of any ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity and to prevent the use or disclosure of ePHI in any manner other than as permitted by this Agreement.
2.3 Mitigation. Business Associate agrees to mitigate, to the maximum extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
2.4 Reporting Non-Permitted Use and Disclosure of PHI and Breach Notification. Business Associate shall report to Covered Entity as soon as practicable and without unreasonable delay any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 C.F.R. § 164.410, and any security incident of which it becomes aware. The Business Associate report shall identify: (i) the nature of the non-permitted use or disclosure, (ii) the PHI used or disclosed, (iii) who made the non-permitted use or received the unauthorized disclosure and (v) what corrective action Business Associate has taken or shall take to prevent future similar unauthorized use or disclosure, and any other information necessary for Covered Entity to satisfy the provisions of HIPAA regulatory notification and reporting requirements.
In the event of a breach of PHI by Business Associate or any employee or agent of Business Associate, Business Associate shall cooperate with Covered Entity in (i) determining which party should provide the notices of breach that are required by 45 C.F.R. § 164. 405 and 45 C.F.R. § 164.406 to individuals and to the media, if media notice is required, (ii) conducting the necessary risk assessment and (iii) providing information required for the notices.
2.5 Use of Subcontractors and Agents. Business Associate shall ensure that any subcontractors or agents that create, receive, maintain or transmit PHI on behalf of Business Associate in connection with the Services it provides to Covered Entity under this Agreement shall agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information, as provided in this Agreement, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), by requiring subcontractors and agents to enter into a written business associate agreement with Business Associate, incorporating such restrictions, conditions and requirements.
2.6 Availability of Internal Practices, Books and Records to Government Agencies. Business Associate shall make available to the Covered Entity, or to the Secretary of the U.S. Department of Health and Human Services ("Secretary"), its internal practices, books and records relating to the use and disclosure of PHI, in a time and manner designated by the Covered Entity or the Secretary, for purposes of determining compliance with HIPAA and the HIPAA Regulations.
2.7 Access by Individuals to PHI. Business Associate shall establish and maintain appropriate procedures to give individuals who are the subject of the PHI (or their designees, if applicable) access to their PHI in a designated record set held by Business Associate to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.
2.8 Amendment of PHI. Business Associate shall make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations thereunder. Business Associate shall provide to Covered Entity such information as requested by Covered Entity to permit Covered Entity to respond to a request by an individual for an amendment to their PHI in accordance with the HIPAA Regulations within forty-five (45) days of receipt of a written request from Covered Entity.
2.9 Accounting of Disclosures. Upon Covered Entity's request, Business Associate shall provide to Covered Entity an accounting of all disclosures of PHI by Business Associate or its employees, agents, representatives or subcontractors, in accordance with the requirements of 45 C.F.R. § 164.528. At a minimum, within thirty (30) days of receipt of a written request from Covered Entity, Business Associate shall document and make available to Covered Entity or the individual, any information necessary to provide an accounting of disclosures in accordance with the requirements of the HIPAA Regulations. Business Associate shall maintain a process to provide this accounting of disclosures for as long as Business Associate maintains PHI received from or on behalf of Covered Entity. For each disclosure that requires an accounting under this Section 2.9, Business Associate shall track the information specified above, and shall securely maintain the information for six (6) years from the date of the disclosure.
2.10 Restrictions: Requests for Confidential Communications. Business Associate shall comply with any agreements for confidential communications of which it is aware and to which Covered Entity agrees pursuant to 45 C.F.R. §164.522(b) by communicating with individuals using agreed upon alternative means or alternative locations.
2.11 Compliance with Standard Transactions. Covered Entity is obligated to conduct Standard Transactions, as that term is defined in 45 C.F.R. § 162.103 in accordance with the requirements of 45 C.F.R. Part 162. If Business Associate conducts in whole or part Standard Transactions, for or on behalf of the Covered Entity, Business Associate will comply, and will require any subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 C.F.R. Part 162. Neither party will enter into, or permit its subcontractors or agents to enter into any trading partner agreement in connection with the conduct of Standard Transactions for or on behalf of Covered Entity that:
- (a) Changes the definition, data condition, or use of a data element or segment in a Standard Transaction;
- (b) Adds any data element or segment to the maximum defined data set;
- (c) Uses any code or data element that is marked “not used” in the Standard Transaction’s Implementation specification or is not in the Standard Transaction’s implementation specification; or
- (d) Changes the meaning or intent of the Standard Transaction’s implementation specification.
2.12 Acknowledgement of Application of Civil and Criminal Penalties. Business Associate acknowledges that under HIPAA, in the event that Business Associate does not comply with the requirements of the Agreement, criminal and civil penalties may be imposed by the Department of Health and Human Services in the same manner that such penalties apply to Covered Entity.
Section 3. Obligations of Covered Entity
3.1 Notification of Changes to Notice of Privacy Practices. Covered Entity shall notify Business Associate of any changes in, or limitation(s) in the Notice of Privacy Practices that Covered Entity provides to individuals pursuant to the HIPAA Regulations, to the extent such limitation or change may affect Business Associate’s use or disclosure of PHI.
3.2 Individual Revocation of Authorization. Covered Entity shall inform Business Associate of any changes in, or revocation of, the authorization provided to Covered Entity by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI under this Agreement.
3.3 Notification of Restrictions. Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restrictions may affect Business Associate’s use or disclosure of PHI.
3.4 Permitted Use. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Covered Entity.
Section 4. Term and Termination
4.1 Term. Subject to the3 post-termination obligations set forth in Section 4.3 of this Agreement, the term of this Agreement shall be coterminous with the term of the Services Agreement.
4.2 Termination for Cause.
- (a) Termination by Covered Entity. In addition to and notwithstanding the termination provisions set forth in the Services Agreement, Covered Entity may terminate this Agreement immediately upon the provision of written notice to Business Associate if Business Associate has breached a material provision of this Agreement and Business Associate fails to cure the material breach within thirty (30) days of receipt of written notice from Covered Entity regarding the existence of the material breach by Business Associate. Business Associate's obligations under Article II and Section 4.3 shall survive the termination or expiration of this Agreement.
- (b) Termination by Business Associate. In addition to and notwithstanding the termination provisions set forth in the Services Agreement, Business Associate may terminate this Agreement immediately upon the provision of written notice to Covered Entity if Covered Entity has breached a material provision of this Agreement and Covered Entity fails to cure the material breach within thirty (30) days of receipt of written notice from Business Associate regarding the existence of the material breach by Covered Entity.
4.3 Disposition of PHI Upon Termination or Expiration. Upon termination or expiration of this Agreement for any reason, Business Associate shall, with respect to PHI received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, shall:
- (a) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- (b) Return to Covered Entity, or if agreed to by Covered Entity, destroy the remaining PHI that Business Associate still maintains in any form;
- (c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. part 164 with respect to ePHI to prevent use of disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
- (d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Article II which applied prior to termination; and
- (e) Return to Covered Entity (or if agreed to by Covered Entity, destroy), the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
- (f) The parties acknowledge and agree that if it is not feasible for Business Associate to return or destroy PHI, Business Associate must follow restrictions of this Section 4.3 regarding PHI retained, and must limit further uses and disclosures to those purposes that make return or destruction feasible.
Section 5. Miscellaneous
5.1 No Third Party Beneficiaries. There are no third party beneficiaries to this Agreement.
5.2 Interpretation. Any ambiguity in this Exhibit shall be resolved to permit compliance with the Regulations, as in effect or as amended.
5.3 Unencrypted PHI. Covered Entity will not send unencrypted PHI to Business Associate in any form, including via email or on mobile devices such as USB drives. Should Covered Entity do so, Business Associate is not responsible for any damages arising out of or relating to unencrypted PHI that Covered Entity sends to Business Associate in any form.
5.4 Amendment to Comply with Law. The Parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required in future to provide for procedures to ensure compliance with such developments. The Parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Regulations and other applicable laws relating to the security or confidentiality of PHI. The parties understand and agree that Covered Entity must receive satisfactory written assurance from Business Associate that Business Associate will adequately safeguard all PHI that it receives or creates pursuant to this Agreement. Upon (a) a change or development in HIPAA or the HIPAA Regulations requiring an amendment to this Agreement and (b) either party’s request, the other party agrees to promptly to enter into negotiations concerning the terms of any amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Regulations or other applicable laws. Either party may terminate this Agreement and Services Agreement upon thirty (30) days written notice in the event (i) the other party does not promptly enter into negotiations to amend this Agreement when requested by Covered Entity pursuant to this Section or (ii) the parties are unable to, after good faith negotiations and cooperation, to enter into an amendment to satisfy such changes or developments in HIPAA or the HIPAA Regulations.
5.5 Relationship to Services Agreement Provisions. In the event that a provision of this Agreement is contrary to a provision of the Services Agreement, the provision of this Agreement shall control. Otherwise, this Agreement shall be construed under, and in accordance with, the terms of the Services Agreement.
5.6 Severability. Any terms or provisions of this Agreement which will prove to be invalid, void or illegal will in no way affect, impair or invalidate any other term or provision herein and such remaining terms and provisions will remain in full force and effect.
5.7 Modification. This agreement may not be amended, modified, altered, or changed in any respect whatsoever except by a further agreement in writing, fully executed by each of the parties hereto.
5.8 Governing Law. This Agreement will be governed by and construed according to the laws of the state as provided in the Service Agreement.
5.9 Waiver of Breach. The waiver by either party of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent of the same or other provision hereof.
5.10 Relationship of the Parties. Business Associate and Covered Entity agree that their relationship under this Agreement shall be that of independent contracting parties and neither Covered Entity nor Business Associate shall be an agent, employee, partner or other legal representative of the other for any reason pursuant to this Agreement, or shall have the right to direct or control the performance of the other under this Agreement. The terms of this Agreement and the Services Agreement shall govern performance of the relationship.
5.11 Third Party Service Providers. Business Associate and Covered Entity agree that there may be third party services providers like Secure Video connectivity providers. Business Associate may maintain back-to-back BAA agreements with such providers and Covered Entity will be protected under such BAA agreements between Business Associate and Third Party service providers.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement effective
as of the date set forth above.
Zoom Video Communications, Inc.
BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (“Agreement” or “BAA”) is made as of Mar 18, 2021 between Zoom Video Communications Inc. and Affiliates, located at 55 Almaden Blvd, Suite 600, San Jose, CA 95113, hereinafter referred to as “Zoom” or “Business Associate”, and Therasoft Inc , located at 1420 5th Ave STE 2200 Seattle WA 98101 , hereinafter referred to as “Company” or “Customer”.
Company is a HIPAA Covered Entity or Business Associate and Zoom is acting as a service provider to Company and may receive, use, maintain, disclose or otherwise process Protected Health Information for or on behalf of Company.
The parties desire to comply with relevant Federal and State confidentiality standards, including but not limited to: the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); 45 CFR part 160 and part 164, subparts A and E (the “Privacy Rule”); 45 C.F.R. Part 160 and Subparts A and C of Part 164 (the “Security Rule”), and The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”).
NOW THEREFORE, the parties to this Agreement hereby agree as follows:
- Definitions. Terms used, but not otherwise defined, in this Agreement shall have the meaning ascribed to them by HIPAA, the Privacy Rule, the Security Rule, and/or the HITECH Act.
- Affiliate means, with respect to a party, any entity that directly or indirectly controls, is controlled by or is under common control with that party. For purposes of this Agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.
- Breach shall mean any acquisition, access, use, or disclosure of Unsecured Protected Health Information that is inconsistent with the terms of this BAA and that compromises the security or privacy of the Unsecured Protected Health Information. Whether an acquisition, access, use, or disclosure of Unsecured Protected Health Information compromises its security or privacy shall be determined by reference to the definition of “breach” in 45 C.F.R. § 164.402.
- Business Associate shall have the meaning specified in 45 CFR § 160.103.
- Covered Entity shall have the meaning specified in 45 C.F.R. § 160.103.
- Electronic PHI is any PHI that is transmitted by or maintained in electronic media.
- Protected Health Information or PHI shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by Zoom from, or created, received, maintained, or transmitted by Zoom on behalf of, Customer through Customer’s use of the Services pursuant to this Agreement.
- Required by law shall mean a mandate contained in law that compels a use or disclosure of Protected Health Information.
- Secretary shall mean the Secretary of the Department of Health and Human Services and those employees or agents designated to act on the Secretary’s behalf.
- Security or Security Measures means the administrative, physical, and technical safeguards and documentation requirements specified in the Security Rule.
- Service Agreement shall mean the agreement(s) and Terms of Service pursuant to which Zoom is to provide video communication services and other related services to Covered Entity.
- Unsecured Protected Health Information is any Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary.
- Permitted Uses and Disclosures of Protected Health Information.
- Performance of the Agreement for Zoom Services. Zoom agrees to not use or disclose Protected Health Information other than as permitted or required by this Agreement, as required or permitted by the Service Agreement, or as required or permitted by law, provided such use or disclosure would not violate HIPAA if done by Customer, unless expressly permitted under this Agreement.
- Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Zoom may Use and Disclose Protected Health Information for the proper management and administration of Zoom and/or to carry out the legal responsibilities of Zoom, provided that any Disclosure may occur only if: (1) Required by law; or (2) Zoom obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by law or for the purpose for which it was Disclosed to the person, and the person notifies Zoom of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.
- Parties Responsibilities with Respect to Protected Health Information.
- Zoom’s Responsibilities. To the extent Zoom is acting as a Business Associate, Zoom agrees to the following:
- Limitations on Use and Disclosure. Zoom shall not Use and/or Disclose the Protected Health Information except as otherwise limited in this Agreement or by application of 42 C.F.R. Part 2 with respect to Part 2 Patient Identifying Information, for the proper management and administration of Zoom or to carry out the legal responsibilities of Zoom; provided that in doing so, Zoom will only use the minimum necessary Protected Health information necessary for the proper management and administration of Zoom’s business specific purposes, or to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1) and, where applicable, 42 C.F.R. Part 2.
- Safeguards. Zoom shall: (1) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this BAA; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.
- Subcontractors. Notwithstanding anything to the contrary in the Services Agreement, Business Associate, subject to the restrictions set forth in this provision, may use subcontractors to fulfill its obligations under this BAA. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Zoom shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of Zoom to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Zoom with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Zoom remains responsible for its Subcontractors’ compliance with obligations in this BAA.
Reporting. Zoom shall report to Customer: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BAA of which Zoom becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents (as defined below) and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Customer’s Unsecured Protected Health Information that Zoom may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than ten (10) business days after Zoom’s discovery of a Breach. Notification of a Successful Security Incident or other impermissible Use and/or Disclosure of Protected Health Information by Zoom or its subcontractors will be made without unreasonable delay, but in no event more than twenty (20) business days after Zoom’s discovery thereof.
For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Zoom’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 3b(ii) (Contact Information for Notices) of this BAA. Zoom’s obligation to report under this Section is not and will not be construed as an acknowledgement by Zoom of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
- Disclosures to the Secretary. Zoom agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or received by Zoom on behalf of, Customer available to the Customer, or at the request of the Customer to the Secretary, in a time and manner designated by the Customer or the Secretary, for purposes of the Secretary determining Customer’s compliance with the Privacy Rule.
- Access. Zoom agrees to provide access, at the request of Customer and in the time and manner designated by Customer, to Protected Health Information in a Designated Record Set to Customer or, as directed by Customer, to an Individual (as defined in 45 C.F.R. § 160.103) in order to meet the requirements under 45 CFR §164.524, provided that nothing in this section shall require Business Associate to retain or obtain access to Protected Health Information not already being retained or accessed by Business Associate pursuant to the terms of this agreement.
- Amendment. Zoom agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Customer directs or agrees to pursuant to 45 CFR §164.526 at the request of Customer or an Individual, and in the time and manner designated as reasonably requested by Customer, provided that nothing in this section shall require Business Associate to retain or obtain access to Protected Health Information not already being retained or accessed by Business Associate pursuant to the terms of this BAA and that nothing in this section shall require Business Associate to assign a Designated Record set where not reasonably practicable in light of Zoom’s encryption practices.
- Accounting of Disclosures. Zoom, at the request of Customer, shall make available to Customer, and in the time and manner designated as reasonably requested by Customer, such information relating to Disclosures made by Zoom as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
- Performance of a Covered Entity’s Obligations. To the extent Zoom is to carry out a Covered Entity obligation under the Privacy Rule, Zoom shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation.
- Customer’s Responsibilities
- No Impermissible Requests. Customer shall not request Zoom to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
- Contact Information for Notices. Customer hereby agrees that any reports, notification, or other notice by Zoom pursuant to this BAA may be made electronically to the Customer contact specified in Section 7 (Notices) below. Customer shall ensure that such contact information remains up to date during the term of this BAA. Failure to submit and maintain as current the aforementioned contact information may delay Zoom’s ability to provide Breach notification under this BAA.
- Safeguards and Appropriate Use of Protected Health Information. Customer is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation. It is Customer’s obligation to exclude Protected Health Information from information Customer submits to technical support personnel through a technical support request. Customer is solely responsible for ensuring the Protected Health Information it transmits via Zoom may be legally disclosed to the communications recipient(s).
- Communicating Changes to Zoom. Customer shall notify Zoom of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Zoom’s use or disclosure of Protected Health Information.
- Communicating Restrictions to Zoom. Customer shall notify Zoom of any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 CFR §164.522 or 42 C.F.R. Part 2, to the extent that such restriction may affect Zoom’s use or disclosure of Protected Health Information.
- Communicating Restrictions in Notices of Privacy Practices to Zoom. Customer shall notify Zoom of any limitation(s) in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Zoom’s use or disclosure of Protected Health Information.
- Term and Termination.
- Term. The term of this Agreement shall begin as of the effective date of the Service Agreement or when Customer introduces Protected Health Information to the Service environment and shall terminate when all of the Protected Health Information provided by Customer to Zoom, or created or received by Zoom on behalf of Customer, is destroyed or returned to Customer, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
- Termination for Breach. Upon Customer’s knowledge of a material breach by Zoom, Customer shall either:
- Provide an opportunity for Zoom to cure the breach or end the violation and terminate this Agreement and the Service Agreement if Zoom does not cure the breach or end the violation within a reasonable time specified by Customer;
- Immediately terminate this Agreement and the Service Agreement if Zoom has breached a material term of this Agreement and cure is not possible; or
- If neither termination nor cure is feasible, Customer shall report the violation to the Secretary.
- Return, Destruction, or Retention of Protected Health Information Upon Termination. Except as provided in paragraph (d) of this Section, upon any termination or expiration of this Agreement, Zoom shall return or destroy all Protected Health Information received from Customer, or created or received by Zoom on behalf of Customer. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Zoom. Zoom shall retain no copies of the Protected Health Information. Notwithstanding the foregoing, Business Associate may retain a copy of PHI received from, or created or received by Business Associate for or on behalf of Covered Entity which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, provided that Business Associate extends the protections of this Agreement to such information.
- In the event that Zoom determines that returning or destroying the Protected Health Information is infeasible, Zoom shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon Customer’s written agreement that return or destruction of Protected Health Information is infeasible, Zoom shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Zoom maintains such Protected Health Information.
- Any notices to be given under this Agreement, including without limitation any Breach notification, to a party shall be made in writing and delivered via electronic mail to the contact at the address indicated below (or at such other address as a party may specify by notice to the others pursuant hereto). Notices shall be addressed as follows:
- If to Zoom, to:
- Zoom Video Communications, Inc.
- Email: email@example.com
- Attention: Privacy Officer
- And to firstname.lastname@example.org
- If to Customer, to:
- Company: Therasoft Inc
- Email: email@example.com
- Attention: Jaswant Pujari
- No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and Zoom under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Zoom an agent of Customer.
- No Third Party Beneficiary. This Agreement is intended for the sole benefit of the Business Associate and Prime Subcontractor and does not create any third party beneficiary rights.
- A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended
- The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Customer to comply with the requirements of HIPAA, the Privacy Rule, the Security Rule, the HITECH Act, and 42 C.F.R. Part 2.
- The respective rights and obligations of Zoom under Section 6(d) and (e) of this Agreement shall survive the termination of this Agreement.
- Any ambiguity in this Agreement shall be resolved to permit Customer to comply with HIPAA, the Security Rule, any applicable aspects of the Privacy Rule, the HITECH Act, and 42 C.F.R. Part 2.
- If Zoom knows of a pattern of activity or practice of the Customer that constitutes a material breach or violation of the Customer’s obligations under this Agreement, Zoom must take reasonable steps to notify Customer to cure the breach or end the violation. If the steps are unsuccessful, Zoom may terminate this Agreement or, if termination is not feasible, report the problem to the Secretary of DHHS. Zoom shall provide written notice to the Customer of any activity or practice that is believed to constitute a material breach or violation of the Agreement within 5 days of discovery and shall meet with the Customer to discuss and attempt to resolve the problem as one of the reasonable steps to cure the breach or end the violation.
- This Agreement constitutes the entire agreement between the parties hereto with respect to the obligations set forth herein and supersedes and replaces any prior agreements between the parties relating to such obligations. IN WITNESS WHEREOF, the undersigned have executed this Agreement as of the date first set forth above.
- Therasoft Inc
- Name: Jaswant Pujari
- Title: CEO
- Date: Mar 18, 2021
- BUSINESS ASSOCIATE:
- Zoom Video Communications, Inc.
- Name: Lynn Haaland
- Title: Deputy GC, chief compliance and Ethics Officer
- Date: Dec 23, 2020