DRFIRST BACKLINE ENROLLMENT AGREEMENT
- Enrollment. com, Inc. (“DrFirst”) agrees to provide the DrFirst Backline (“Backline”) software for use by the person, entity, or organization identified on the signature line (referred to herein as, “Company”). Company’s access and use of Backline is subject to DrFirst’s Backline terms (“Terms”), and the business associate agreement (“BAA”) as updated from time to time by DrFirst, all of which are incorporated by reference into this Enrollment Agreement as Exhibit A. By signing below, Company acknowledges and agrees that Company has read, understands, and agrees to the Terms and the BAA. Company represents and warrants that the individual signing on Company’s behalf has all necessary authority to bind Company.
- Backline. Backline (“the Application”) provides a simple, secure, method to chat or send instant messages to single users and groups. Backline is offered as a standalone tool for provider communication through web-based desktop access, as well as a mobile-based messaging solution for iPhone and Androids. The Secure Texting capability allows users to (i) Create 1-to-1 chats, group chats, and patient centered chats; (ii) See real time delivery status indicators and message timestamps; (iii) Attach up to 20MB to a message, including photos, videos, audio files and documents; and (iv) Communicate with providers (or patients) across organizations. The Administrative Console provides the following functionality: (i) Monitoring: Allows for review of application usage & statistics; (ii) Chat Archiving: Searching through chat archives by participant, date, and keywords; and (iii) User Management: Managing users by adding or disabling user accounts and uploading batches of users. The Telehealth service operates by delivering real time secure face-to-face video chat functionality and seamlessly transitions between secure message and secure face-to-face real-time live video connection.
Cost Rate Description Item Number Total Annual Cost $300 Annual Backline Per User License Fee $
- Invoicing. DrFirst will invoice Company on a yearly basis and Company agrees to remit full payment of each invoice no later than thirty (30) days from the invoice date. Company agrees to pay interest at a rate of 1.5% per month, or the highest legal rate, whichever is less, on all overdue amounts.
- Term and Termination. The term of this Enrollment Agreement begins upon signature by both parties and shall continue for an initial term of one (1) year. The term will automatically renew for successive one (1) year renewal terms unless a party provides notice of its intention not to renew at least sixty (60) days prior to the end of the then current term or renewal term.
TERMS AND CONDITIONS
FOR DRFIRST BACKLINE ENROLLMENT AGREEMENTS
Applicability. These Terms and Conditions (“Terms”) apply to all DrFirst Backline Enrollment Agreements (each, an “Enrollment Agreement”).
- “Authorized End User” means any individual accessing Backline pursuant to an Enrollment Agreement.
- “Claim” means any claim, demand, action, suit, or proceeding, and all liability, losses, judgments, damages, settlements and costs arising out of or relating to the same (including reasonable attorneys’ fees) whether based on breach of contract or warranty, tort including negligence, statute, or other legal or equitable theory.
- “Company Software” means the Backline (“Backline”) application software licensed and utilized by Company.
- “Medication History Information” means the medication history information provided in the Company Software for the purpose of providing direct health care services to Company patients.
- “Surescripts” means certain services provided over a network operated by SureScripts, LLC.
- “Backline” means DrFirst’s services which deliver secure texting, administrative console, medication history information, and Telehealth pursuant to an Enrollment Agreement.
- Company Obligations. Company shall be responsible for: (i) granting and revoking access through the Company Software; (ii) obtaining any and all consents or authorizations from patients necessary to use Backline, including the use of the telehealth service within Backline; (iii) ensuring that Company’s use of Backline complies with applicable laws and regulations; and (iv) ensuring that all Authorized End Users comply with applicable federal and state laws and regulations related to the use of telehealth. Additionally, Company will assist in the deployment, verification & rollout of Backline and follow the Implementation Guidelines referenced in the Enrollment Agreement.
- Additional Company Obligations for Medication History Information (MedHx Only).
- The terms of Section 3 apply only if the Medication History Service (“MedHx”) is purchased.
- Company agrees to only use Medication History Information provided by Company Software for the purpose of providing direct health care services to its patient. Certain services are provided over a network operated by SureScripts. Company acknowledges that the Medication History Information provided hereunder may not be complete or accurate, and neither DrFirst, SureScripts nor any pharmacy or other entity providing Medication History Information provides any representations or warranties with respect to the accuracy or completeness of the Medication History Information, and Company releases and holds harmless DrFirst, SureScripts and any person or entity providing Medication History Information from any liability, cause of action, or claim related to the completeness or lack thereof of the Medication History Information. Company is not required to release and hold harmless any party whose conduct is found to be willfully malicious or reckless or grossly negligent. Company agrees to confirm the accuracy of the Medication History Information with the patient prior to providing any medical services based thereon and Company agrees that Company Authorized End Users shall use their professional judgment in the provision of care. Company agrees to obtain patient consent prior to requesting any medication history for that patient. Company acknowledges that Medication History Information shall be used only for those patients from whom Company has obtained the consent of the patient to access such patient’s medication history. Other than in the course of treatment for the Company’s patient, Company shall not provide the Medication History Information to any other person or entity for any reason whatsoever, or use the Medication History Information for any other purpose. Company shall implement appropriate administrative, technical, and physical safeguards to prevent any use or disclosure of any data provided hereunder for any purpose not authorized by this PA. Company shall not use any Medication History Information for any reason, whether in aggregated form or otherwise, except for the sole purpose of treating a Company patient.
- Company shall allow DrFirst and Surescripts, without notice, the ability to access, inspect, and review all records related to information and Medication History Information provided by or through the Surescripts network through Company Software.
- Grant of License; Ownership of Software, Products and Intellectual Property. DrFirst grants to Company a limited, non-exclusive, non-transferable, revocable license to access and use Backline solely with the Company Software. Except for the limited rights expressly granted to Company in these Terms, neither Company nor any Authorized End Users has any license, interest, or right of any kind in Backline. DrFirst retains sole and exclusive rights to the DrFirst brand, Backline, and any associated code or software, including interface software, all related materials, and all copies thereof in any form or medium, whether now known or existing or hereafter developed, and including all copyrights, patents, trade secrets, trademarks, trade names and intellectual property rights associated therewith. All goodwill arising in or from the DrFirst brand shall inure solely to DrFirst’s benefit. Company shall not: (i) attempt to de-compile, reverse assemble, reverse engineer, or attempt to gain access to the source code of any software furnished by DrFirst; (ii) import, add, modify or create derivative works of any such software or user materials; (iii) delete data in any such software database by any method other than direct data entry through the application, or through a DrFirst developed interface; or (iv) remove any proprietary notices, labels, or marks from any software or user materials provided by DrFirst. The software, user materials, and other rights granted herein may not be transferred, leased, assigned, or sublicensed without DrFirst’s prior written consent, except to a successor in interest of Company’s entire business who assumes all of the obligations of these Terms. In the event of any unauthorized transfer, Company’s rights under this Agreement shall automatically terminate.
- Payment. DrFirst will invoice Company on a yearly basis and Company agrees to remit full payment of each invoice no later than thirty (30) days from the date of the invoice. Company agrees to pay interest at the rate of 1.5% per month, or the highest legal rate, whichever is less, on all overdue amounts. DrFirst may increase the license fees at any time as a result of an increase in costs to DrFirst related to maintaining the integration or licensing the SureScripts specifications.
- Confidentiality. The Parties acknowledge that during the performance of this Agreement, each party may have access to certain of the other Party’s confidential information or confidential information of third parties that the disclosing party is required to maintain as confidential (“Confidential Information”). Both parties agree that all items of Confidential Information are proprietary to the disclosing party or such third party, as applicable, and shall remain the sole property of the disclosing party or such third party. Each party receiving Confidential Information from the other party agrees as follows: (i) that such receiving party shall use the Confidential Information only for performance of the Enrollment Agreement; (ii) that such party will not reproduce the Confidential Information except as minimally necessary to use for performance hereunder and will hold in confidence and protect the Confidential Information from dissemination to, and use by, any third party; (iii) that such party shall not create any derivative work from Confidential Information disclosed to said party by the other party; (iv) that such party shall restrict access to the Confidential Information to such of its personnel, agents, and/or consultants, if any, who have a need to have access for purposes of performing that party’s obligations hereunder; and (v) that such party shall return or destroy all Confidential Information disclosed by the other party in its possession upon termination or expiration of the Enrollment Agreement. For clarity, Company may not disclose any Confidential Information of DrFirst or data received via Backline, including but not limited to any documentation or materials owned by DrFirst, to Epic.
- Availability of Data Sources. Company acknowledges and agrees that any pharmacy benefits manager, plan, Surescripts, or other data source may opt out of participation in Backline at any time without prior notice to Company.
- Warranties and Disclaimers. EXCEPT AS EXPRESSLY SET FORTH HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DRFIRST DISCLAIMS ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND/OR NON-INFRINGEMENT. DRFIRST DOES NOT WARRANT THAT THE APPLICATION WILL MEET COMPANY’S REQUIREMENTS OR THAT THE OPERATION OF THE APPLICATION WILL BE UNINTERRUPTED OR ERROR-FREE. Company agrees that DrFirst is not responsible for accuracy, completeness, quality, integrity, legality, reliability, or appropriateness of data provided to Company. Company waives any Claims against DrFirst and Epic related to the accuracy, completeness, quality, integrity, legality, reliability, AVAILABILITY, and appropriateness of data provided to Company hereunder.
- LIMITATION OF LIABILITY. IN NO EVENT SHALL DRFIRST OR ANY OF ITS LICENSORS, AGENTS OR REPRESENTATIVES BE LIABLE TO COMPANY OR ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, LOST PROFITS, BUSINESS INTERRUPTION, EVEN IF DRFIRST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL DRFIRST BE LIABLE TO COMPANY ON ACCOUNT OF ANY LOSS OR CLAIM CAUSED BY THE FAILURE OF COMPANY OR ANY OF YOUR EMPLOYEES, AGENTS, PROVIDERS OR REPRESENTATIVES TO PERFORM ANY OF YOUR/THEIR OBLIGATIONS UNDER THIS AGREEMENT. THE CUMULATIVE LIABILITY OF DRFIRST TO COMPANY FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY, WILL NOT EXCEED THE TOTAL AMOUNT OF ALL LICENSE FEES PAID TO DRFIRST BY COMPANY DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE ACT, OMISSION OR EVENT GIVING RISE TO SUCH LIABILITY.
- Indemnification. Company shall defend, indemnify and hold harmless DrFirst against all Claims of any kind of nature arising out of or resulting from Company or Company’s Authorized End Users (i) misuse of or unauthorized disclosure of or access to, protected health information; (ii) any material breach of the Terms, Enrollment Agreement, BAA, or Implementation Guidelines; (iii)) use of or inability to use the Surescripts, or any data; or (iv) negligence, willful misconduct, or violation of any law or any use, access, disclosure, or possession of any data received in connection with this Agreement.
- Termination. Either party may terminate the Enrollment Agreement for a material breach of the Enrollment Agreement, these Terms, the BAA, or the Implementation Guidelines by the other party upon written notice, which breach is not cured within thirty (30) days after written notice by the non-breaching party setting forth, in reasonable detail those terms and conditions which have been breached. Furthermore this Agreement may be terminated by either Party immediately upon written notice of termination in the event that one party makes a general assignment for the benefit of creditors, or files voluntary petition in bankruptcy or for reorganization or rearrangement under the bankruptcy laws, or if a petition in bankruptcy is filed against a party and is not dismissed within thirty (30) calendar days after the filing, or if a receiver or trustee is appointed for all or any part of property or assets of such other party.
- Notices. Unless otherwise expressly provided herein, all notices or other communications shall be in writing and delivered either personally, via a nationally recognized overnight carrier, or by certified, return receipt requested, postage prepaid U.S. mail to the addresses set forth on the signature page of the Mobile Services Agreement. Either party may change its address by specifying such change in a written notice to the other. A copy of any notice directed to DrFirst at the address on the Mobile Services Agreement shall be sent to the attention of the DrFirst.com, Inc, Legal Department, 9420 Key West Avenue, Suite 101, Rockville, MD 20850, with a courtesy e-mail to: email@example.com
- Miscellaneous. Any attempt to add or alter the terms of this Agreement by a purchase order shall be null and void. Except as provided otherwise herein, this Agreement may not be modified except by a writing signed by an authorized representative of both parties. Company acknowledges and agrees that DrFirst may de-identify data received for product improvement only. A waiver by either party of its rights hereunder shall not be binding unless contained in a writing signed by an authorized representative of the party waiving its rights. The non-enforcement or waiver of any provision shall not constitute a waiver of such provision on any other occasion unless expressly so agreed in writing. This Agreement and all rights and obligations may not be assigned in whole or in part by either party without the prior written consent of the other, except in connection with a reorganization, merger, consolidation, acquisition, or restructuring involving all, or substantially all of the voting securities and/or assets of the assigning party. Neither party shall be liable for failure to perform any of its obligations hereunder if such failure is caused by an event outside its reasonable control, including, but not limited to, an act of God, shortage of materials, personnel or supplies, war, or natural disaster. If any provision of this Agreement is declared invalid by a court of competent jurisdiction, such provision shall be ineffective only to the extent of such invalidity, so that the remainder of that provision and all remaining provisions of this Agreement shall be valid and enforceable to the fullest extent permitted by applicable law. This agreement shall be governed by and interpreted in accordance with the laws of the state of Maryland, without regard to conflicts of law principles thereof or to the United Nations Convention on the International Sale of Goods. For purposes of all claims brought under this agreement, each of the parties hereby irrevocably submits to the non-exclusive jurisdiction of the state courts of the state of Maryland. Under no circumstances, shall this agreement or a part thereof be subject to the Uniform Computer Information Transaction Act. The parties recognize and agree that their obligations under Paragraphs 3,4, 5 and 6 of this Master Agreement shall survive the cancellation, termination or expiration of this Agreement.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) applies to all DrFirst Backline Enrollment Agreements (referred to as the “Service Agreement”) pursuant to which DrFirst (“Business Associate”) receives PHI from a Covered Entity as a Business Associate as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”).
II. DEFINITIONS AND INTERPRETATION
2.1 Definitions Generally.
2.1.1 “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
2.1.2 “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
2.1.3 “Electronic Protected Health Information” or (“EPHI”) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2.1.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
2.1.5 “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2.1.6 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
2.1.7 Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
2.2 Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations (collectively, the “Regulations”) or any binding interpretation thereof, said conflict will be resolved in favor of the Regulations. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.
2.3 State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.
2.4 Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.
III. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE
3.1 Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI received by the Business Associate as necessary to perform functions, activities or services for or on behalf of the Covered Entity as specified in the Service Agreement and including but not limited to:
3.1.1 Facilitating the processing of administrative, clinical and financial healthcare transactions;
3.1.2 Treatment of patients of the Covered Entity;
3.1.3 Establishing and maintaining Business Management Programs;
3.2 Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.
3.3 De-Identification. Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(b
3.4 Other Permitted Uses. The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.
3.5 Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if:
3.5.1 Required By Law; and/or
3.5.2 Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.
3.6 Report Violations of Law. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
IV. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
4.1 Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement
4.2 Safeguards Against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
4.3 Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
4.4 Agreements With Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.
4.5 Obligations on Behalf of the Covered Entity. To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
4.6 Access to PHI. The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual or a third party designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
4.7 Amendment of PHI. The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity (or an Individual as directed by the Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designed by the Covered Entity. If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.
4.8 Accounting of Disclosures.
4.8.1 The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
4.8.2 The Business Associate shall provide to Covered Entity information collected in accordance with Section 4.8.1 of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.
4.9 Retention of Protected Health Information. Notwithstanding Section 8.3 of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section 4.8.1 of this Agreement for a period of six (6) years after termination of the Service Agreement.
4.10 Minimum Necessary. The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
4.11 Availability of Information. The Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.
V. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
5.1 Compliance with the Security Rule. The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
5.2 Subcontractors. The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.
5.3 Security Incident/Breach Notification Reporting. The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.
VI. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
6.1 Notification Requirement. To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach.
6.2 Content of Notification. Any notice referenced above in Section 6.1 of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.
VII. OBLIGATIONS OF THE COVERED ENTITY
7.1 Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
7.2 Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
7.3 Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
7.4 Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.
VIII. TERM AND TERMINATION
8.1 Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity; or in the event that it is not feasible to return or destroy said PHI, protections are extended to such information with the termination provisions herein provided or as permissible by the applicable Regulations.
8.2 Termination for Cause. Upon the Covered Entity’s knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.
8.3 Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. In the event that the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.
8.4 Retention of Certain Information. The Business Associate shall retain no copies of the aforementioned PHI; however, the Covered Entity understands and agrees that information relating to individual prescription transactions submitted by use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.
9.1 Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.
9.2 Amendments. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.
9.3 Survival. The respective rights and obligations of Business Associate under Article VI of this Agreement shall survive the termination of this Agreement.
9.4 Entire Agreement. This Agreement is the entire agreement between the Parties with regard to its subject matter and shall supersede any prior agreements.