This Terms of Service (“Agreement”), including Exhibits, is made and entered into as of the date of signature between Somnoware Healthcare Systems, Inc., a Delaware corporation (“Somnoware”), and you (“Client”). This Agreement sets forth the terms pursuant to which Somnoware will provide Client with Somnoware’s web-based sleep data management service (the “Service”). The parties agree as follows:
1. DEFINITIONS
1.1 “Acceptable Subject Data” means Subject Data that is collected from diagnostic devices; therapy devices; data received from EHR/EMR; data entered or scanned by designated users and data received from patients or user via mobile devices.
1.2 “Authorized Facilities” means the list of Client’s facilities set forth on Somnoware Trial Agreement, as it may be amended from time to time in writing and signed by an authorized agent of Somnoware in accordance with Section 10.13.
1.3 “Case” means each submission by the Client to Somnoware of Subject Data from an Authorized Facility in accordance with this Agreement for Somnoware to provide the Services.
1.4 “Designated User” is defined in Section 2.12.
1.5 “Documentation” means the user documentation, in all forms, that Somnoware provides relating to the Service, including user manuals, instructions for use and on-line help files.
1.6 “Protected Health Information” is defined in the HIPAA Business Associate Agreement attached hereto, and incorporated herein by reference.
1.7 “Results” means, the discrete data collected from the patients’ diagnostic test or therapy devices; discrete data collected from EHR/EMR; reports generated by physicians; management reports; reports compiled by designated users; orders generated by physicians. “Service” is defined in the preamble.
1.8 “Somnoware IP Rights” means all intellectual property rights owned or controlled by Somnoware, including patents and patent applications, copyrights, trademarks and trade secrets.
1.9 “Somnoware Technology” means all technology, software, hardware, processes, algorithms, user interfaces, know-how, trade secrets, techniques, designs, inventions and other tangible or intangible technical material or information that is owned or controlled by Somnoware at any time.
1.10 “Subject” means an individual patient for whom Client desires Somnoware to provide the Services.
1.11 “Subject Data” means the data and information (including Protected Health Information) about a Subject that Client provides to Somnoware under this Agreement.
1.12 “Update” means a modification to the Service that Somnoware provides to its customers free of charge.
1.13 “User Credential” is defined in Section 2.12.
2. USE OF THE SERVICE
2.1 License Grant. Subject to the terms and conditions of this Agreement, Somnoware grants to Client a limited, non-exclusive, non-transferable (except as permitted in Section 10.4) license, without the right to grant any sublicenses, under the Somnoware IP Rights, solely: (a) to submit Subject Data from Authorized Facilities to Somnoware to provide the Service; (b) to obtain the Results from Somnoware for use solely in connection with (1) the medical treatment of such Subject and related aspects of Client’s and its physicians’ own business operations, including, without limitation the seeking of reimbursement for such medical treatment, and (2) providing information to accreditation and regulatory agencies exercising jurisdiction over Client or its physicians; and (c) to reproduce, without modification, and internally use a reasonable number of copies of the Documentation, solely in connection with use of the Service in accordance with this Agreement.
2.2 Service. Client may access and use the Service in accordance with the terms and conditions of this Agreement. Upon receipt of a Case that contains Acceptable Subject Data, Somnoware shall provide the Service in respect of such Case in accordance with the terms and conditions of this Agreement. Somnoware shall provide the Results in accordance with the online policies and help documentation provided by Somnoware from time to time. For the avoidance of doubt, nothing in this Agreement, obligates Client: (a) to use the Service, or to use the Service with any particular frequency; or (b) to refrain from using any other clinical test or procedure.
2.3 Installation, Implementation and Training. Each party shall use commercially reasonable efforts to perform its installation and implementation obligations as described in Somnoware Trial Agreement; provided, however, that Somnoware shall have no obligation to provide the Service until Client has performed all of Client’s obligations under Somnoware Trial Agreement. Somnoware shall use commercially reasonable efforts to provide the training, if any, described in Somnoware Trial Agreement. In addition, Somnoware provides product training, education and support in connection with its products and services, including training on the safe and effective use of its product. This may include hands-on training, on-boarding sessions, lectures and presentations, among other training and/or educational sessions and support.
2.4 Third Party Software and Hardware Requirements. Client shall, at its sole cost and expense, purchase, install, maintain and operate all third-party software and hardware that is necessary for Designated Users to access and use the Service in accordance with this Agreement, to the extent set forth in Somnoware Trial Agreement. Somnoware shall not have any obligations with respect to such third-party software or hardware. Somnoware may, in its sole discretion, assist Client with obtaining, installing, maintaining or operating such third-party software or hardware; provided, however, that (a) any such assistance shall not alter Client’s sole responsibility for such third-party software and hardware, and (b) all such assistance is provided on an “as-is” basis, without warranty of any kind.
2.5 Server Location. Somnoware reserves the right to locate the servers and other equipment needed to provide the Service contemplated by this Agreement either at its facilities or at the facilities of independent service providers. Notwithstanding the foregoing: (1) Somnoware’s engagement of a third party to provide the Service shall not operate to relieve Somnoware of duties or liabilities of Somnoware set forth in this Agreement; (2) without the prior written consent of Client, Somnoware shall not store or process, itself or through a third party, any information which is subject to the provisions of HIPAA Business Associate Agreement of this Agreement at a physical location outside of the United States of America.
2.6 Updates. Somnoware may, from time to time and when and if available, provide Client with Updates that are provided in the form of a general release to similarly situated Somnoware customers. Somnoware provides Client with an Update , Client shall (a) provide Somnoware with reasonable web access to Client’s premises, software and hardware used by Client to use the Service in order to install such Update and (b) use such Update in using and accessing the Service. Somnoware staff shall comply with reasonable and generally applicable Client policies and procedures while on Client’s premises or while working in Client’s information technology environments.
2.7 Privacy & Security. Somnoware reserves the right to modify its privacy and security policies in its reasonable discretion from time to time. In case of discrepancies between the provisions of the policies and the provisions of this Agreement, the provisions of this Agreement shall prevail. Notwithstanding the foregoing, nothing in the parts of this Agreement other than HIPAA Business Associate Agreement, including without limitation the operation of this Section 2.7, shall supersede or alter Somnoware’s obligations described in HIPAA Business Associate Agreement of this Agreement.
2.8 Protected Health Information. HIPAA Business Associate Agreement to this Agreement shall govern Somnoware’s use of Protected Health Information.
2.9 Ownership of Subject Data; Use. As between Somnoware and Client, all Subject Data shall be the property of the Client. Client acknowledges that (a) use of Subject Data by Somnoware to improve the Service can achieve improved outcomes for patients, including use of Subject Data for regulatory filings; (b) Somnoware is subject to certain regulatory requirements wherein Somnoware must disclose Subject Data to such regulatory authorities, for example to enable the auditing of products and services; and (c) Client’s physicians and healthcare professionals may ask Somnoware to provide historical Subject Data in order to provide better care, including by tracking a Subject’s disease progression. Client agrees that Somnoware may retain and use Subject Data for the purpose of (w) providing support and preventative maintenance of the Service, (x) improving the Service and Somnoware’s related products and services, (y) ensuring compliance with applicable laws and regulations, and (z) providing a general resource for Somnoware’s clinical research and market access. Therefore, subject to the terms of this Agreement, Somnoware may use Subject Data in any manner that a Business Associate is legally permitted to undertake under HIPAA (as defined in HIPAA Business Associate Agreement) and applicable law, as each may be amended from time to time. Client will obtain each Subject’s consent for use of the Service with such Subject Data in the same manner as Client obtains general consent from Client’s patients for healthcare services unrelated to this Agreement, and Client represents and warrants to Somnoware that such consent is sufficient for the purposes permitted herein.
2.10 Ownership of Results; Use. Subject to Somnoware’s rights in the Somnoware IP Rights, Somnoware Technology and Documentation as between Client and Somnoware the Results shall be the property of Client and Patient(Subject). Client acknowledges that (a) use of Results by Somnoware to improve the Service can achieve improved outcomes for patients, including use of Results for regulatory filings; (b) Somnoware is subject to certain regulatory requirements wherein Somnoware must disclose Results to such regulatory authorities, for example to enable the auditing of products and services; and (c) Client’s physicians and healthcare professionals may ask Somnoware to provide historical Results in order to provide better care, including by tracking a Subject’s disease progression. Client agrees that Somnoware may retain and use Client’s Results for the purpose of (w) providing support and preventative maintenance of the Service, (x) improving the Service and Somnoware’s related products and services, (y) ensuring compliance with applicable laws and regulations, and (z) providing a general resource for Somnoware’s clinical research and market access. Therefore, subject to the terms of this Agreement, Somnoware may use Results in any manner that a Business Associate is legally permitted to undertake under HIPAA and applicable law, as each may be amended from time to time. Client will obtain each Subject’s consent for use of the Service with such Results in the same manner as Client obtains general consent from Client’s patients for healthcare services unrelated to this Agreement, and Client represents and warrants to Somnoware that such consent is sufficient for the purposes permitted herein.
2.11 Use Restrictions. Except as otherwise explicitly provided in this Agreement or as may be expressly permitted by applicable law, Client will not, and will not permit or authorize any third party to: (a) sublicense, rent, loan, lease, or otherwise permit a third party to access or use any portion of the Service or Documentation; (b) provide the Service to third parties that do not have accounts with Client; or (c) reverse engineer, modify, decompile, disassemble, circumvent or disable security or other technological features or measures of the Service.
2.12 Usernames and Passwords. Somnoware shall provide Client with a reasonable number of usernames and passwords in order for Client to use and access the Service (such username and password combinations, “User Credentials”). Each User Credential shall be personal and unique to the applicable Client employee or contractor designated by Client to access and use the Service under this Agreement (“Designated User”). Somnoware shall remove and/or reissue User Credentials from time to time as reasonably requested by Client.
2.13 Protection Against Unauthorized Use. Client shall not, and shall cause its Designated Users to not, provide its User Credentials to any third party, and will not, directly or indirectly, permit or allow any unauthorized access to or use of the Service. Client shall perform all activity associated with its Service accounts in accordance with the terms and conditions of this Agreement. Client shall use commercially reasonable efforts to prevent any unauthorized use of the Service and immediately notify Somnoware in writing of any unauthorized use that comes to Client’s attention. If there is unauthorized use by anyone who obtained access to any part of the Service directly or indirectly through Client, then Client shall, at its sole cost and expense, take all steps reasonably necessary to terminate such unauthorized use. Client shall cooperate and assist with any actions taken by Somnoware to prevent or terminate unauthorized use of any part of the Service.
2.14 Reservation of Rights; Ownership. Other than as expressly set forth in this Agreement, no license or other rights in the Somnoware IP Rights are granted to the Client whether by implication, estoppel, or otherwise. As between the parties, Somnoware is and shall remain the sole and exclusive owner of all right, title and interest in and to the Somnoware Technology, Somnoware IP Rights and the Documentation, and to all intellectual property rights in the foregoing.
2.15 Compliance with Laws; Responsibility for Subject Data; Discount Safe Harbor. (a) Somnoware shall maintain the Service and Documentation in compliance with all applicable laws, including without limitation the maintenance of any required FDA or any applicable regulatory approvals. Client’s clinical care activities conducted with the use the Service (including the Results) and Documentation shall be in compliance with all applicable laws and regulations including all laws and regulations related to privacy of Subject Data and Results. Neither party shall engage in any unethical conduct or any other conduct that damages or reasonably might damage the reputation of the other party, provided that truthful communications to regulatory or accreditation agencies shall not be considered violations of the foregoing obligation. Client shall ensure the accuracy, integrity, quality, legality, reliability, and appropriateness of all Subject Data at the time it is provided to Somnoware. (b) Client shall, in connection with this Agreement, comply with all applicable federal and state laws, regulations, and other authorities, specifically including but not limited to the federal health care program anti-kickback law, 42 U.S.C. § 1320a-7b(b) (“Anti-Kickback Law”). As part of the cost reporting process or otherwise, Client may be obligated to report and provide information concerning any discounts, rebates, or other price reductions provided under this Agreement pursuant to 42 U.S.C. § 1320a-7b(b)(3)(A) (the discount exception to the Anti-Kickback Law) and/or 42 C.F.R. § 1001.952(h)(the discount safe harbor to the Anti-kickback Law), other federal or state laws, or agreement with third party payers. Client hereby acknowledges its legal obligations to fully and accurately report the discounts, rebates and/or other price reductions it receives under this Agreement per these authorities. Client should retain this Agreement and any other documentation of discounts, rebates, or other price reductions) and make such information available to federal or state health care programs or other payers upon request. 2.16 No Warranties. Client shall not make or publish any representations, warranties, guarantees or commitments on behalf of Somnoware concerning any matter whatsoever; provided that Client may generally answer, within the range of Client’s and Client’s physicians’ knowledge as healthcare providers, questions received about Somnoware and the Service arising from Client’s and its physicians’ own business, including by way of example questions from patients, third party payers, and applicable regulating agencies exercising jurisdiction over Client and its physicians. For the avoidance of doubt, this Section
2.16 shall not operate to prevent Client from using the Service in connection with clinical research or describing such use in the context of published research studies.
2.17 Somnoware Cooperation. [The parties acknowledge that as of the Effective Date, the Service is a new healthcare technology and that Client may need to engage in discussions with insurance companies and other payers of Client’s services in order to obtain reimbursement for the Service. Somnoware agrees to use commercially reasonable efforts to provide assistance in this regard upon Client’s request, including by way of example attendance on a conference call with a third party payer to explain the clinical and financial benefits of the Service.]
3. SERVICE LEVELS AND SUPPORT
3.1 Quality of Service. Somnoware shall use commercially reasonable efforts to provide the Service with a minimum disruptions; provided, however, that: (i) Somnoware does not guarantee that the Service will function without disruptions, delays or other imperfections, including because of power outages or internet service disruptions beyond Somnoware’s control, which may cause disruptions in the Service and preclude Client’s continuous, interruption-free access to the Service; and (ii) Somnoware may reasonably suspend the Service for maintenance purposes upon reasonable advance notice to Client, and Somnoware shall use reasonable efforts to conduct such maintenance purposes outside of regular business hours.
3.2 Availability. Without limiting Section 3.1, Somnoware shall use commercially reasonable efforts to make the Service available to Client per the SLA in Exhibit Support Services. Provided that Client is current with its payment of all applicable fees under this Agreement, Client shall be entitled to receive Somnoware’s standard email and telephone technical support services that Somnoware generally provides to its customers, free of charge in a form substantially in accordance with the online policies and help documentation provided by Somnoware from time-to-time; provided, however, that unless otherwise expressly agreed to by Somnoware in a separate written agreement, the support services do not include any work with or relating to any third-party equipment or software. The support services described in this Section 3.2 shall be provided at no charge to Client, and shall be reasonably suitable to support the typical needs of a customer utilizing the Service in a similar fashion to Client.
3.3 Additional Services; Interfaces. Client may request that Somnoware provide additional or non-standard services that are outside the scope of the Service, including without limitation, assistance in the creation of interfaces to allow the exchange of information between Somnoware and Client’s electronic medical record systems or other Client information systems. Upon such request from Client, Somnoware shall reasonably assess whether the requested assistance is within Somnoware’s technical capabilities, and if so, any associated additional Somnoware fees chargeable to Client (which fees shall not exceed Somnoware’s usual and customary fees for such services). If Client agrees to the payment of such fees, the parties shall enter into an agreement for such additional services and additional fees.
4. FEES AND PAYMENT TERMS
4.1 Fees. Client shall pay Somnoware the fees for the Service as set forth in Somnoware Trial Agreement. Somnoware may revise the fees set forth in Somnoware Trial Agreement following the Initial Term not more than once per calendar year, effective upon notice to Client.
4.2 Payment Terms. All amounts payable under this Agreement are non-refundable once paid. Client shall pay all amounts due to Somnoware under this Agreement within the payment period described in Somnoware Trial Agreement. Client shall pay all amounts due under this Agreement in United States dollars unless another currency is expressly set forth in Somnoware Trial Agreement. In any dispute arising under this Agreement, the prevailing party shall, in addition to any damages or remedies awarded to such party, be entitled to recover its reasonable costs and expenses relating to the dispute (including without limitation reasonable attorney fees). Late payments will incur interest at the rate of three (3) points above the prime rate (as reported by the Wall Street Journal on the date the payment came due, or a reasonable alternative source if the Wall Street Journal should cease to publish the prime rate) (or the maximum rate permitted by law, if lesser), accruing daily.
4.3 Payment and Invoicing Instructions. (a) Payment as set forth in this Section 4 for all invoices shall be made by bank transfer or check sent to the address and account listed in Somnoware Trial Agreement. (b) Somnoware shall send all invoices as set forth on Somnoware Trial Agreement on a monthly basis to the billing contact described on the signature page or to such updated contact information as Client may provide to Somnoware from time to time.
4.4 Taxes. (a) Fees due and payable to Somnoware under this Agreement exclude all taxes, levies, imports, duties, charges, fees and withholdings of any nature now or hereafter imposed by any governmental, fiscal or other authority. (b) Other than federal and state net income taxes imposed on Somnoware by the United States, Client is responsible for payment of all taxes, levies, imports, duties, charges, fees and withholdings of any nature now or hereafter imposed by any governmental, fiscal or other authority. If Client is a tax-exempt entity, then Somnoware shall reasonably cooperate with Client with respect to tax issues related to (1) this Agreement and (2) Client’s status as a tax-exempt entity. (c) All payments made to Somnoware by Client under this Agreement shall be made without any deduction or set-off (for the avoidance of doubt, other than service level credits provided for in Section 3.2) and free and clear of and without deduction for or on account of any taxes, levies, imports, duties, charges, fees and withholdings of any nature now or hereafter imposed by any governmental, fiscal or other authority except as required by applicable law. If Client makes any such deduction, it shall pay Somnoware such additional amounts as are necessary to ensure that Somnoware receives the full amount that Somnoware would have received but for the deduction.
5. TERM AND TERMINATION
5.1 Term. This Agreement will commence upon the Effective Date and remain in effect for one year (the “Initial Term”). Upon expiration of the Initial Term, this Agreement shall automatically renew for consecutive one-year terms (each a “Renewal Term”, and the Initial Term and all Renewal Terms, collectively, the “Term”) unless (a) a party provides written notice to the other party at least 30 days prior to the expiration of the current Term not to renew this Agreement, or (b) this Agreement is earlier terminated under: (1) Section 5.2 (Termination for Convenience); or (2) Section 5.3 (Notice of Material Breach or Default).
5.2 Termination For Convenience. After the Initial Term, either party may terminate this Agreement for convenience upon at least sixty (60) days’ written notice to the other party.
5.3 Notice of Material Breach or Default; Exclusion; Bankruptcy. (a) Either party may terminate this Agreement if: (a) such party (the “Non-Breaching Party”) delivers written notice to the other party (the “Breaching Party”) describing the breach in reasonable detail (the “Breach Notice”); (b) the Breaching Party fails to cure such breach within thirty (30) days after the date that the Non-Breaching Party delivered such Breach Notice (such period, the “Cure Period”); and (c) the Non-Breaching Party delivers to the Breaching Party, within ninety (90) days after the applicable Cure Period has expired, a subsequent written notice terminating this Agreement (the “Termination Notice”). (b) Either party may terminate this Agreement, immediately upon written notice to the other party in the event that the other party is excluded by an applicable regulatory authority from participation in a health care payment program in which Client participates that is funded in whole or part by the federal or a state government. (c) Either party may terminate this Agreement, immediately upon written notice to the other party, in the event that the other party seeks protection in bankruptcy, or is the subject of a bankruptcy petition that is not dismissed within one hundred and eighty (180) days after filing.
5.4 Post-Termination Obligations. If this Agreement expires or terminates for any reason, then: (a) Somnoware may immediately cease providing Service upon no less than five (5) business days prior notice of such cessation, and Somnoware shall deliver to Client the Results relating to Cases that were submitted to Somnoware prior to the effectiveness of such suspension; (b) Client shall pay to Somnoware any fees, or other amounts that have accrued prior to the effective date of such expiration or termination; (c) upon such expiration or termination, each party shall, at the other party’s direction and subject to Section 9, either return or destroy all Confidential Information of the other party in its possession at the time of expiration or termination and provide written certification of any Confidential Information of the other party that was destroyed to such party. Neither party shall make or retain any copies of such Confidential Information, except as required to comply with any applicable legal, regulatory or accounting record keeping requirement. Any and all liabilities accrued prior to the effective date of the expiration or termination will survive.
5.5 Survival. The following provisions will survive any expiration or termination of this Agreement: Sections 1 (Definitions), 2.9 (Ownership of Subject Data; License), 2.10 (Results), 2.10 (Storage of Subject Data and Results), 2.11 (Use Restrictions), 2.14 (Reservation of Rights; Ownership), 2.15 (Compliance with Laws; Responsibility for Subject Data), 2.16 (No Warranties), 5.4 (Post-Termination Obligations), 5.5 (Survival), 6 (Warranties and Disclaimer), 7 (Indemnification), 8 (Limitations of Liability), 9 (Confidentiality & Privacy) and 10 (General), and HIPAA Business Associate Agreement.
6. WARRANTIES AND DISCLAIMER
6.1 Mutual Warranties. Each party represents and warrants to the other that: (a) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such party in accordance with its terms; (b) no other authorization or approval from any third party is required in connection with such party’s execution, delivery or performance of this Agreement; (c) the execution, delivery and performance of this Agreement does not violate the laws of any jurisdiction or the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound; and (d) it will comply with all applicable laws in connection with this Agreement.
6.2 Somnoware’s Additional Representations and Warranties. Somnoware represents and warrants that it will provide the Services with professional quality, consistent with generally acceptable industry standards for the performance of services of similar nature. Client’s sole remedy and Somnoware’s sole obligation with respect to a breach of the foregoing warranty will be for Somnoware to re-perform the affected aspects of the Services in a manner that conforms to this warranty. Somnoware further warrants that it shall, and it shall cause its contractors to, maintain such security measures for its information systems as are, at any given time, usual and customary for vendors that may store and process protected health information of patients.
6.3 Disclaimer. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THIS AGREEMENT and its exhibits, SOMNOWARE, ITS AGENTS AND CONTRACTORS MAKE NO ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW) OR STATUTORY, AS TO ANY MATTER WHATSOEVER. SOMNOWARE, ITS AGENTS AND CONTRACTORS EXPRESSLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE AND NON-INFRINGEMENT. SOMNOWARE, ITS AGENTS AND CONTRACTORS DO NOT WARRANT AGAINST INTERFERENCE WITH THE ENJOYMENT OF THE SERVICE OR THAT, WITHOUT LIMITATION TO SOMNOWARE’S DUTY TO INDEMNIFY SET FORTH HEREIN, THE SOMNOWARE SERVICE DO NOT INFRINGE ANY INTELLECTUAL PROPERTY RIGHT OF ANY THIRD PARTY. CLIENT UNDERSTANDS AND AGREES THAT SOMNOWARE PROVIDES DATA AND INFORMATION ONLY AND DOES NOT PROVIDE A DIAGNOSIS OR RECOMMENDATION FOR MEDICAL TREATMENT FOR A SUBJECT. SOMNOWARE, ITS AGENTS AND CONTRACTORS DO NOT WARRANT THAT THE SERVICE or SerVICES ARE ERROR-FREE OR THAT OPERATION OF THE SERVICE WILL BE SECURE OR UNINTERRUPTED. SOMNOWARE, ITS AGENTS AND CONTRACTORS EXERCISE NO CONTROL OVER, AND EXPRESSLY DISCLAIM, ANY LIABILITY ARISING OUT OF OR BASED UPON CLIENT’S USE OF THE SERVICE OR RESULTS.
7. INDEMNIFICATION
7.1 Indemnification by Client. Client shall defend, indemnify and hold Somnoware, its affiliates and their respective stockholders, directors, officers, employees, agents, contractors, representatives, partners and affiliates (collectively, the “Somnoware Indemnified Parties”) harmless from any actual or threatened third party claim or losses, or regulatory breaches or penalties (including all damages, costs, fines and attorneys’ fees finally awarded against the Somnoware Indemnified Parties in any proceeding under this Section 7.1, all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by the Somnoware Indemnified Parties in connection with the defense of such proceeding, and all amounts to any third party agreed to by Client in settlement of any such claims) arising out of or based upon Client’s clinical activities, except to the extent caused by a failure of the Service outside of the control of Client, or Somnoware’s breach of any of the provisions of this Agreement. The Somnoware Indemnified Parties shall: (a) give Client prompt written notice of the claim, threatened claim or regulatory enquiry or investigation; (b) grant Client full and complete control over the defense and settlement of the claim in accordance with this Section 7.1; (c) assist Client with the defense and settlement of the claim as Client may reasonably request and at Client’s expense; and (d) comply with any settlement or court order made in connection with such claim; provided, however, that Client shall not admit, including in connection with any settlement of a claim, threatened claim or regulatory enquiry or investigation, any guilt or liability of any Somnoware Indemnitee without consent. This Section 7.1 will apply regardless of any insurance coverage held by Somnoware or any affiliate.
7.2 Indemnification by Somnoware. Somnoware shall defend, indemnify and hold Client its affiliates and their respective stockholders, directors, officers, employees, agents, contractors, representatives, partners and affiliates (collectively, the “Client Indemnified Parties”) harmless from any actual or threatened third party claim or losses, or regulatory breaches or penalties (including all damages, costs, fines, and attorneys’ fees finally awarded against the Client Indemnified Parties in any proceeding under this Section 7.2, all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by the Client Indemnified Parties in connection with the defense of such proceeding, and all amounts to any third party agreed to by Somnoware in settlement of any such claims) arising out of, or in connection the alleged infringement of the intellectual property rights of a third party by the Client’s use of the Service as authorized by this Agreement. Client shall: (a) provide Somnoware prompt written notice of such claim; (b) grant Somnoware full and complete control over the defense and settlement of such claim in accordance with this Section 7.2; (v) assist Somnoware with the defense and settlement of such claim as Somnoware may reasonably request and at Somnoware’s expense; and (d) comply with any settlement or court order made in connection with such claim; provided, however, that Somnoware shall not admit, including in connection with any settlement of a claim, any guilt or liability of a Client Indemnified Party without consent. This Section 7.2 will apply regardless of any insurance coverage held by Client or any affiliate.
7.3 Exclusions. A party shall have no obligations to indemnify the other party to the extent such claims arise from the other party’s breach of this Agreement. Somnoware’s duty to provide indemnification for infringement of a third party’s intellectual property shall not apply to the extent that such infringement arises from the combination of the Service with any of Client’s or any third party’s products, services, data, hardware or business processes, in each case other than those indicated by Somnoware in the Documentation or otherwise as being required, recommended or permissible, if the alleged infringement would not have occurred absent such combination. Section 7.2 states Somnoware’s sole and exclusive liability, and Client’s sole and exclusive remedy, for any claims of infringement of intellectual property or other proprietary rights.
8. LIMITATIONS OF LIABILITY
8.1 Liability for Subject Data. Client shall be solely responsible for any liability or damage arising out of or related to Subject Data, including without limitation any errors or omissions in, or loss of, Subject Data. Under no circumstances shall Somnoware, its affiliates or any of their stockholders, directors, officers, employees, agents, contractors, representatives, partners, or affiliates be held liable for any loss or damage related to or arising out of Subject Data.
8.2 Disclaimer of Indirect Damages. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT BUT EXCLUDING (a) A PARTY’S OBLIGATIONS UNDER SECTION 7 (INDEMNIFICATION); (b) A PARTY’S BREACH OF AN OBLIGATION OF CONFIDENTIALITY; AND (c) DAMAGES ARISING FROM A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY NOR ITS AFFILIATES OR THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS OR CONTRACTORS WILL, UNDER ANY CIRCUMSTANCES, BE LIABLE TO THE OTHER PARTY FOR CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR EXEMPLARY, DAMAGES ARISING OUT OF OR RELATED TO THE TRANSACTIONS AND ACTIVITY CONTEMPLATED UNDER THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOST PROFITS OR LOSS OF BUSINESS, EVEN IF A PARTY IS APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING.
8.3 Cap on Liability. EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER THIS AGREEMENT AND A BREACH OF SECTION 9 (CONFIDENTIALITY), AND TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, UNDER NO CIRCUMSTANCES WILL EITHER PARTY’S OR ITS AFFILIATE’S, OR THEIR DIRECTORS’, OFFICERS’, EMPLOYEES’, AGENTS’ OR CONTRACTORS’ TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO THIS AGREEMENT (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL AMOUNT PAID BY CLIENT TO SOMNOWARE UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE DATE OF THE LAST EVENT FROM WHICH SUCH CLAIM ACCRUED.
8.4 Independent Allocations of Risk. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY SOMNOWARE TO CLIENT AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT. THE LIMITATIONS IN THIS SECTION 8 WILL APPLY NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THIS AGREEMENT.
9. CONFIDENTIALITY & PRIVACY
9.1 Definition. “Confidential Information” means any trade secrets or other information of a party, whether of a technical, business, or other nature (including, without limitation, information relating to a party’s technology, software, products, services, designs, methodologies, business plans, finances, marketing plans, customers, prospects, or other affairs) that is disclosed to a party during the term of this Agreement and that such party knows or has reason to know is confidential, proprietary or trade secret information of the disclosing party. Confidential Information does not include any information that: (a) was known to the receiving party prior to receiving the same from the disclosing party in connection with this Agreement; (b) is independently developed by the receiving party without use of or reference to the Confidential Information of the disclosing party; (c) is acquired by the receiving party from another source without restriction as to use or disclosure; or (d) is or becomes part of the public domain through no fault or action of the receiving party.
9.2 Restricted Use and Nondisclosure. During and after the Term of this Agreement, each party will: (a) use the other party’s Confidential Information solely for the purpose for which it is provided; (b) not disclose the other party’s Confidential Information to a third party unless the third party must access the Confidential Information to perform a party’s obligations or exercise a party’s rights in accordance with this Agreement and the third party has executed a written agreement that contains terms that are substantially similar to the terms contained in this Section 9; and (c) maintain the secrecy of, and protect from unauthorized use and disclosure, the other party’s Confidential Information to the same extent (but using no less than a reasonable degree of care) that it protects its own Confidential Information of a similar nature.
9.3 Required Disclosure. If either party is required by law to disclose the Confidential Information or the terms of this Agreement, the disclosing party must give prompt written notice of such requirement before such disclosure and assist the non-disclosing party in obtaining an order protecting the Confidential Information from public disclosure. In the event of a limited disclosure of a party’s Confidential Information that is required by law or regulation, the receiving party shall continue to treat such disclosed information as the disclosing party’s Confidential Information for all other purposes and subject to the other terms and conditions of this Agreement.
9.4 Return of Confidential Information. As soon as practicable, but in no event more than ten (10) days following the receipt of a written request from the disclosing party, the receiving party shall destroy or deliver to the disclosing party, as directed by the disclosing party, all materials containing or embodying the disclosing party’s Confidential Information, including without limitation materials in tangible and/or electronic format, and shall deliver to the disclosing party a letter signed by an officer of the receiving party and reasonably satisfactory to the disclosing party certifying that all such materials in the receiving party’s possession have been delivered to the disclosing party or destroyed, as directed by the disclosing party; provided, however, that the receiving party shall be entitled to retain subject to the terms and conditions of this Agreement: (a) one (1) archived copy of the disclosing party’s Confidential Information and all materials created by the receiving party and containing the disclosing party’s Confidential Information, including without limitation notes and memoranda, solely for the purpose of administering the receiving party’s obligations under this Agreement; and (b) the disclosing party’s Confidential Information contained in the receiving party’s electronic back-up files that are created in the normal course of business pursuant to the receiving party’s standard protocol for preserving its electronic records.
10. GENERAL
10.1 Insurance. Each party shall maintain in effect reasonable levels of general liability insurance with financially-stable insurers or self-insurance pools, and shall provide evidence of such insurance to the other party upon request.
10.2 Sunshine Act. In compliance with the Physicians Payment Sunshine Act provision of the Patient Protection and Affordable Care Act of 2010, as may be amended from time to time, Somnoware shall report annually to the United States Federal Government payments made or provision of anything of value to covered physicians and hospitals, including any payments or transfers of value to Client under this Agreement. Information to be reported includes the payee name, state license number, national provider identifier number, business address, specialty, nature of payment and amounts paid. The U.S. Government will subsequently make the reported information public available in a searchable, downloadable internet website.
10.3 Relationship. Somnoware is an independent contractor (and not an agent or representative of Client) in the performance of this Agreement. This Agreement will not be interpreted or construed as: (a) creating or evidencing any association, joint venture, partnership or franchise between the parties; (b) imposing any partnership or franchise obligation or liability on either party; or (c) prohibiting or restricting Somnoware’s performance of any services for any third party or the provision of products to any third party.
10.4 Assignability. A party may not assign its right, duties or obligations under this Agreement without the other party’s prior written consent. If consent is given, this Agreement will bind the consenting party’s successors and assigns. Notwithstanding the foregoing, either party may, without consent of the other party, assign this Agreement and its rights and obligations hereunder in whole or in part to an affiliate of such party, or in whole to its successor in interest in connection with the sale of all or substantially all of such party’s assets to which this Agreement applies, provided that (i) such party provides written notice of such assignment, including the name and address of such assignee, prior to such assignment taking effect; and (ii) any such assignee agrees in writing to assume all of such party’s obligations under this Agreement prior to such assignment taking effect. Any attempt by a party to transfer its rights, duties or obligations under this Agreement except as expressly provided in this Agreement is void.
10.5 Subcontractors. Somnoware may use one or more subcontractors or other third parties to perform its duties under this Agreement so long as Somnoware remains responsible for all of its obligations under this Agreement, including without limitation HIPAA Business Associate Agreement of this Agreement.
10.6 Reference. Subject to Section 9 regarding confidentiality, Client shall: (a) make one or more representatives reasonably available for reference inquiries from potential Somnoware customers, partners, and investors; (b) permit Somnoware to create and publish a case study regarding the nature of Client’s use of the Service; and (c) permit Somnoware to issue and publish a press release containing a quotation from a representative of Client announcing that Client has subscribed to use the Service. In addition, Client hereby consents to Somnoware’s display of Client’s logo on Somnoware’s web site where Somnoware displays the names and logos of its customers.
10.7 Notices. Any notice required or permitted to be given in accordance with this Agreement will be effective if it is in writing and sent by certified or registered mail, or insured courier, return receipt requested, to the appropriate party at the address set forth on the signature page of this Agreement and with the appropriate postage affixed. Either party may change its address for receipt of notice by notice to the other party in accordance with this Section 10.7. Notices are deemed given two (2) business days following the date of mailing or one (1) business day following delivery to a courier if both sender and recipient are within the United States, or if not, then five (5) and two (2) business days, respectively.
10.8 Force Majeure. A party will not be liable for, or be considered to be in breach of or default under this Agreement on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond the party’s reasonable control, so long as the party uses commercially reasonable efforts to avoid or remove such causes of non-performance.
10.9 Governing Law; Dispute Resolution. This Agreement is made under and will be governed by and construed in accordance with the laws of the State of North Carolina, U.S.A. (except that body of law controlling conflicts of law). Any dispute relating to the terms, interpretation or performance of this Agreement (other than claims for preliminary injunctive relief or other pre-judgment remedies) will be resolved at the request of either party exclusively through binding arbitration administered by JAMS and conducted by a single arbitrator in Charlotte, North Carolina pursuant to its Comprehensive Arbitration Rules and Procedures and in accordance with the Expedited Procedures in those Rules then in effect, provided that either party may petition a court of competent jurisdiction to enforce any arbitration award and for equitable relief, including to seek a temporary restraining order or preliminary or permanent injunction.
10.10 Waiver. The waiver by either party of any breach of any provision of this Agreement does not waive any other breach. The failure of any party to insist on strict performance of any covenant or obligation in accordance with this Agreement will not be a waiver of such party’s right to demand strict compliance in the future, nor will the same be construed as a novation of this Agreement.
10.11 Severability. If any part of this Agreement is found to be illegal, unenforceable or invalid, the remaining portions of this Agreement will remain in full force and effect.
10.12 Interpretation. The parties have had an equal opportunity to participate in the drafting of this Agreement and the attached Exhibits, if any. No ambiguity will be construed against any party based upon a claim that that party drafted the ambiguous language. The headings appearing at the beginning of several sections contained in this Agreement have been inserted for identification and reference purposes only and must not be used to construe or interpret this Agreement. Whenever required by context, a singular number will include the plural, the plural number will include the singular, and the gender of any pronoun will include all genders.
10.13 Counterparts. This Agreement may be executed in any number of identical counterparts, notwithstanding that the parties have not signed the same counterpart, with the same effect as if the parties had signed the same document. All counterparts will be construed as and constitute the same agreement. This Agreement may also be executed and delivered by facsimile and such execution and delivery will have the same force and effect of an original document with original signatures.
10.14 Entire Agreement. This Agreement, including all schedules and Exhibits, is the final and complete expression of the agreement between the parties regarding the Service. This Agreement supersedes, and the terms of this Agreement govern, all previous oral and written communications regarding these matters, all of which are merged into this Agreement. No employee, agent or other representative of a party has any authority to bind such party with respect to any statement, representation, warranty, or other expression unless the same is specifically set forth in this Agreement. No usage of trade or other regular practice or method of dealing between the parties will be used to modify, interpret, supplement or alter the terms of this Agreement. This Agreement may be changed only by a written agreement signed by an authorized agent of the party against whom enforcement is sought. A party will not be bound by, and specifically objects to, any term, condition or other provision that is different from or in addition to this Agreement (whether or not it would materially alter this Agreement) that is proffered by the other party in any receipt, invoice, acceptance, confirmation or correspondence unless the party specifically agrees to such provision in writing and such writing is signed by an authorized agent of the party.
HIPAA Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into this date, by and between you (“Client” or “Covered Entity”) and Somnoware Healthcare Systems, Inc. (“Somnoware”).
WHEREAS, Client is a Covered Entity that has engaged Somnoware to provide certain “Services” (as defined below) set forth in the Terms of Service (the “Agreement”), and carrying out such Services may involve the use or disclosure of Protected Health Information (“PHI”), as defined below; and
WHEREAS, in connection with providing the Services, Somnoware and Covered Entity recognize their obligations to comply with applicable requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Pub. L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and the Privacy Rule, Security Rule and Breach Notification Rule (each as defined below) promulgated thereunder (collectively, the “HIPAA Rules”); and
NOW, THEREFORE, in consideration of the foregoing and the covenants herein contained, the parties hereto agree as follows:
I. DEFINITIONS
A. “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
B. “Breach Notification Rule” shall mean the requirements for Breach Notification for Unsecured Protected Health Information, codified at PHI at 45 C.F.R. Parts 160 and 164.
C. “Business Associate” shall have the meaning given to such term in 45 C.F.R. § 160.103 and for the purposes of this Agreement, shall mean Somnoware, but only when used in connection with the Service offered to Covered Entity pursuant to the Agreement.
D. “Covered Entity” shall have the meaning given to such term in 45 C.F.R. § 160.103 and, for the purposes of this BAA, shall mean Client.
E. “Designated Record Set” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.501.
F. “Electronic Protected Health Information” or “EPHI” shall have the meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103.
G. “Individual” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. Section 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
H. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
I. “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity in connection with the Services.
J. “Required by Law” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.103.
K. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
L. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
M. “Security Incident” shall have the meaning given to such phrase under the Security Rule at 45 C.F.R. § 164.304.
N. “Services” shall mean any services that Somnoware provides to Covered Entity that involve the exchange of PHI and where Somnoware would meet the definition of “Business Associate” as set forth above in Section I(C).
O. “Unsecured PHI” shall have the meaning given to such phrase under the Breach Notification Rule at 45 C.F.R. § 164.402.
II. USES AND DISCLOSURES BY BUSINESS ASSOCIATE UNDER THE PRIVACY RULE
A. Permitted Uses and Disclosures of PHI. Except as provided in Paragraphs (B), (C), (D), (E), and (F) below, Business Associate may only use or disclose PHI as necessary to perform the Services on behalf of Covered Entity, provided that any such use/or disclosure does not violate the HIPAA Rules.
B. Use for Management and Administration. Except as otherwise limited in this BAA, Business Associate may, consistent with 45 C.F.R. 164.504(e)(4), use PHI if necessary (i) for the proper management and administration of Business Associate, including as specified in Section 2 of the Agreement, or (ii) to carry out the legal responsibilities of Business Associate.
C. Disclosure for Management and Administration. Except as otherwise limited in this BAA, Business Associate may, consistent with 45 C.F.R. 164.504(e)(4), disclose PHI for the proper management and administration of Business Associate, provided (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed (“Person”) that it will be held confidentially and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the Person, and that the Person agrees to notify Business Associate in writing of any instances of which it becomes aware in which the confidentiality of the information has been breached.
D. Reporting Violations. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R. § 164.502(j)(1).
E. Data Aggregation. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
F. De-Identification. Business Associate may use PHI to create de-identified information consistent with 45 C.F.R. § 164.514(a),(b).
G. Required Uses and Disclosures. Business Associate shall make the uses and disclosures required under 45 C.F.R. § 164.502(a)(4).
III. PRIVACY RULE OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
A. Limitations on Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule and this BAA.
B. Appropriate Safeguards. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA or as Required by Law.
C. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
D. Reporting of Improper Use or Disclosure. Business Associate shall report promptly to Covered Entity any use or disclosure of PHI not provided for by the BAA after becoming aware of such use or disclosure.
E. Business Associate’s Agents. Business Associate shall ensure that any agent or subcontractor to whom it provides any PHI agrees in writing to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI.
F. Access to PHI. Business Associate shall provide access, at the request of Covered Entity, to PHI in a Designated Record Set, so that Covered Entity can comply with the access requirements under the Privacy Rule at 45 C.F.R. § 164.524.
G. Amendment of PHI. Business Associate shall make any PHI contained in a Designated Record Set available to Covered Entity for purposes of amendment and shall incorporate amendments per 45 C.F.R. § 164.526.
H. Accounting/Documentation of Disclosures. To the extent applicable, Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Privacy Rule at 45 C.F.R. § 164.528.
I. Governmental Access to Records. Business Associate shall make its internal practices, books and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary and Covered Entity for purposes of determining Covered Entity’s compliance with the Privacy Rule as applicable.
J. Minimum Necessary. Business Associate shall comply with the minimum necessary standards in 45 C.F.R. § 164.502(b).
K. Prohibition on Selling PHI, Marketing and Fundraising. Business Associate is specifically prohibited from (i) selling PHI or receiving any direct or indirect remuneration from a third party in exchange for PHI and (ii) using or disclosing PHI in violation of the marketing prohibitions set forth in the HIPAA Rules; provided, however, that the prohibition under clause (i) shall not affect payment to Business Associate by Covered Entity for the performance of Services. Business Associate shall not use or disclose PHI for fundraising.
L. Other Obligations. In the event Business Associate carries out any obligation of Covered Entity, per the terms of this BAA, it shall comply with the applicable provisions of the HIPAA Rules. 45 C.F.R. § 164.504(e)(2)(ii)(H).
IV. SECURITY RULE OBLIGATIONS
A. Business Associate Obligations. Business Associate shall implement the requirements set forth in this Section IV with regard to Electronic Protected Health Information.
B. Safeguards. Business Associate shall comply with applicable provisions of the Security Rule, including, without limitation, having in place Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the EPHI that it creates, receives, maintains or transmits on behalf of Covered Entity pursuant to the BAA.
C. Subcontractors. Business Associate shall ensure that any agent or subcontractor to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect such EPHI.
D. Security Incident Reporting. Business Associate shall report any Security Incident promptly upon becoming aware of such incident. However, the parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
V. BREACH NOTIFICATION RULE OBLIGATIONS
A. Business Associate shall implement reasonable systems for the discovery and reporting to Covered Entity of any Breach of Unsecured PHI.
B. Without unreasonable delay, and in no case later than 30 calendar days following the Business Associate’s discovery of a Breach, Business Associate shall provide written notification to Covered Entity of a Breach of Unsecured PHI, unless Business Associate is prevented from doing so pursuant to 45 C.F.R. §164.412 (law enforcement delay). The notice shall include, to the extent possible, the identification of each individual who’s Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. Business Associate shall provide the Covered Entity with any other available information that the Covered Entity is required to include in notification to the individual under § 164.404(c) at the same time of the notification or promptly thereafter as information becomes available.
C. For purposes of reporting a Breach to Covered Entity, the discovery of a Breach shall occur as of the first day on which such Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. Business Associate will be considered to have had knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Breach) who is an employee, officer or agent of the Business Associate.
VI. TERM AND TERMINATION
A. Term. This BAA shall be effective upon Covered Entity’s engagement of Business Associate for the provision of Services for and on behalf of Covered Entity and execution of the Agreement, and shall expire upon the conclusion of Covered Entity’s engagement of Business Associate.
B. Termination for Cause. Upon Covered Entity’s knowledge of breach of a material term of this BAA by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure, and, if Business Associate does not cure the breach within 45 days, Covered Entity may immediately terminate this BAA and the engagement. If neither termination nor cure is feasible, Covered Entity shall report the breach to the Secretary.
C. Effect of Termination. 1. Except as provided below in Section VI (C)(2) of this BAA, upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. 2. Where Business Associate asserts that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Business Associate’s good faith representations that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
VII. MISCELLANEOUS
A. Regulatory References. A reference in this BAA to a section in the Privacy, Security, or Breach Notification Rule means the section as in effect or as amended, and for which compliance is required.
B. Survival. The respective rights and obligations of Business Associate and Covered Entity under Section VI(C) of this BAA shall survive the termination of the BAA.
C. Construction. This BAA shall be construed as broadly as necessary to implement and comply with HIPAA, the HITECH Act, and the HIPAA Rules. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies with and is consistent with HIPAA, the HITECH Act, and the Privacy, Security, and Breach Notification Rules.
D. Amendment of BAA. The parties agree to take such action as is necessary to amend this BAA from time to time in order for Business Associate and Covered Entity to comply with the requirements of the HIPAA Rules. Specifically, the parties agree to negotiate in good faith any changes or modifications to this BAA as proposed or requested by either party as may be necessary for the parties to comply with their respective obligations under HIPAA, the HITECH Act, and the HIPAA Rules.