Terms of Access for Clinical Site Users

people and a computer

Terms of Access for Clinical Site Users

people and a computer

Last Updated: May 1, 2023

 

1.     Introduction

These Terms of Access (“Terms”) govern your use of this software as a service solution and any other provided services (the “Services”) which SiteRx, Inc. (“SiteRx”, “we”, “us”, or “our”) makes available to you, , and the terms on which you may use it.

BY ACCEPTING THESE TERMS, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, OR BY USING THE SERVICES OR ANY INFORMATION PROVIDED VIA THE SERVICES OR IN CONNECTION WITH THE SERVICES, YOU AGREE TO BE BOUND BY THESE TERMS, INCLUDING ALL TERMS INCORPORATED BY REFERENCE. PLEASE REVIEW THESE TERMS EACH TIME YOU USE THE SERVICES, SINCE THERE MAY BE CHANGES AND UPDATES FROM TIME TO TIME. YOUR CONTINUED USE OF THE SERVICES AFTER SUCH CHANGES ARE POSTED (OR OTHER METHOD OF LEGAL ACCEPTANCE) WILL CONSTITUTE YOUR ACCEPTANCE OF SUCH CHANGES.

This Agreement was last updated as of the date above. It is effective between you and SiteRx as of the earlier of: (a) the date you accept this Agreement or (b) the date you first access or otherwise use the Services.

These Terms incorporate by reference the enclosed Data Protection Agreement (“DPA”), as may be amended from time to time and which is made a part of these Terms as if recited here in full.

If you do not agree to these Terms, you must immediately cease using the Services. These Terms, along with the DPA and any additional terms or policies incorporated herein by reference, represents the entire agreement between you and SiteRx concerning the Services, and these Terms supersede and replace any prior proposal, representation, or understanding you may have had with SiteRx relating to the Services, whether orally or in writing.

The defined terms “you”, “your” or “Customer” mean the person accepting these Terms or, if applicable, the legal entity on whose behalf Customer is accepting and is duly authorized to accept these Terms. You represent and warrant that you have the right, authority, and capacity to bind and enter into these Terms on behalf of such person or entity. If you do not have such authority, you must not accept these Terms and may not use the Services. The defined term “User” means an individual who is authorized by Customer to use the Services and to whom Customer (or SiteRx at your request) has supplied access credentials. Users may include, for example, your employees, consultants, contractors, and agents.

 

2.     Right to Access and Use

Conditioned on your compliance with these Terms, we hereby grant to you the limited, revocable, non-assignable, non-transferable, non-sublicensable and non-exclusive right to access and use the Services for the term and purpose as set out in, and subject to the terms and conditions of, these Terms.

Any access to or use of the Services, other than as expressly set forth herein, by you or any person, business, corporation, government organization or any other entity is strictly forbidden and is a violation of these Terms.

 

3.     Ownership

These Services are owned and operated by SiteRx. All names, logos, and materials contained in the Services or provided to you in connection with the Services (“Materials”) are either owned by or licensed to SiteRx. SiteRx and its applicable licensors retain all proprietary rights in and to the Services and Materials. Any publication or other unauthorized use of the Materials, in any form or by any means, including but not limited to electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of SiteRx, is strictly prohibited.

Customer will (a) be responsible for Users’ compliance with this Agreement and for all activities that occur through Users’ use of Services, (b) to prevent unauthorized access to or use of Services (including not sharing any User passwords) and notify SiteRx promptly of any such unauthorized access or use, and (c) comply with the terms of service for all third-party applications with which Customer uses the Services.

SiteRx may change, suspend or discontinue any aspect of the Services at any time, including the provisions relating to confidentiality, integrity or the availability of any feature, database or content. SiteRx may also impose limits on certain features and services or restrict your access to all or part of the Services without notice or liability.

 

4.     Usage Restrictions

Customer will not, and will be responsible for ensuring that a User will not: (a) make any Service available to, or use any Services for the benefit of, anyone other than Customer or Users, including any part, feature, function or output of any Services, (b) sell, resell, license, sublicense, distribute, rent or lease any Services or any part, feature, function or output thereof (e.g., reports, screenshots), or include any Services in a service bureau or outsourcing offering, (c) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use the Services to store or transmit any malicious code, (e) use the Services in violation of these Terms, applicable laws or government regulations, or form otherwise fraudulent or malicious purposes, (f) interfere with or disrupt the integrity or performance of any Services or third-party data contained therein, (g) attempt to gain unauthorized access to any Services or its related systems or networks, (h) use or permit direct or indirect access to or use of any Services in a way that circumvents a contractual usage limit, (i) publish, display, or copy (provided that Customer and its Users can copy as reasonably necessary to its and their rights under these Terms and in connection with ordinary course back-up and disaster recovery procedures) the Services or any part, feature, function, output, or user interface thereof, (j) remove any legal, copyright, trademark or other proprietary rights notices contained in or on the Materials; (k) frame or mirror any part of any Services, other than framing on your own intranets or otherwise for your own internal business purposes or as permitted in these Terms, (l) access any Services in order to build a competitive product or service or use the Services in a way that competes with products or services offered by SiteRx, (m) copy, adapt, reformat, reverse-engineer, disassemble, decompile, download, translate or otherwise modify any Services through automated or other means; (n) interfere with or disrupt servers or networks that provide or support the Services or other customers’ or users’ access to or use of the same; (o) access or attempt to access the Services in an unauthorized manner, portions of the Services that are restricted from access, or other users’ accounts, computer systems or networks not covered by these Terms, through password mining or any other means; (p) cause, as determined in SiteRx’s sole discretion, an inordinate burden on SiteRx’s system resources or capacity; and (q) engage in any other conduct that is contrary to the purpose of these Services or, as determined by SiteRx in its sole discretion, exposes SiteRx to any other person or entity related to these Services to any liability or detriment.

You must keep your authenticating credentials (e.g., user name and password) or other information needed to login to the Services (e.g. multi-factor authentication mechanism), confidential and secure. SiteRx is not responsible for any unauthorized access to your account by others. If you know or suspect an unauthorized person has obtained your authentication credentials or otherwise compromised your account, you shall immediately notify SiteRx at infosec@siterx.com, and cooperate with SiteRx in its response efforts.

Notwithstanding anything herein to the contrary, SiteRx reserves the right, in its sole discretion, to protect users from violators and violations of these rules of conduct, including but not limited to, restricting your access to the Services, restricting your ability to upload or access Materials, immediately terminating or suspending your access to the Services, or terminating your access to the Services by blocking certain IP addresses from accessing the Services. Notwithstanding the foregoing, we have the unlimited right to terminate your access to the Services at any time, with or without cause, which shall not be limited to violations of these Terms.

 

5.     Consent to Data Collection and Use

You are under no obligation to submit anything to us or through use of the Services. However, in order for us to provide the Services, we may need your authorization to process, display, reproduce, create derivative works, and otherwise use the materials and Data that you make available to us, if any. Therefore, if you choose to submit any materials and/or Data through or on the Services, or otherwise make available any materials or Data through the Services or our services, you hereby grant us a perpetual, irrevocable, transferrable, sub-licensable through multiple tiers, non-exclusive, worldwide, royalty-free license to reproduce, use, modify, display, perform, distribute, translate and create derivative works from any such materials or Data, in accordance with the DPA.

You agree that SiteRx may use your name, logo, trademarks, service marks, domain names, and distinctive brand features in our marketing or publicity materials, website, and third-party websites for the purpose of marketing or publicizing SiteRx’s services, including, without limitation, the fact that you are a user of the Services, along with any testimonials you or any other representative may provide. You also agree to participate in surveys and evaluations of the Services upon reasonable request.

By submitting any materials or data to us you hereby agree, warrant and represent that: (a) the provision of the materials and data is not a violation of any third-party’s rights, and is subject to appropriate consents where applicable; (b) all such materials and data are accurate and true, and (c) you are not entitled to compensation or attribution from us in exchange for the materials and/or data.

You acknowledge that we are under no obligation to maintain the Services, or any information, materials, data, or other matter you submit, post or make available to or on the Services. We reserve the right to withhold, remove and or discard any such material at any time.

If you grant SiteRx access to your systems, then you represent and warrant that you have the right, authority and capacity to grant such access to SiteRx, and acknowledge that SiteRx may book and schedule clinical trial subjects using such access.

You acknowledge that the Services and any integrations or data sharing between us are not meant for the processing or sharing of information generated in the course of conducting a clinical trial, and that SiteRx is not generating records for research purposes. You agree not to share with us any clinical trial data through the Services or otherwise other than in accordance with applicable law. The Services do not substitute for sites’ and clinical investigators’ responsibility to conduct screening, generate the associated source documentation and complete case report forms for submission with respect to any subjects referred to the site, none of which functions are delegated by you to SiteRx.

To the extent that you provide us information considered to be protected health information under applicable law, you hereby grant permission to SiteRx to access and use data shared with SiteRx to create deidentified data, in accordance with, and as defined by, 45 C.F.R. § 164.514 (the “Deidentified Data”). In addition, you hereby give SiteRx a limited, nonexclusive, irrevocable, sublicense (including through multiple tiers), perpetual, royalty free, fully-paid up license to aggregate, compile, decompile, manipulate, reproduce, modify, supplement, adapt, translate, create derivative works from, and otherwise fully use and disclose the Deidentified Data. You agree that SiteRx shall have exclusive ownership rights, and the exclusive right to use, such Deidentified Data.

 

6.     Important Notices

There are general risks associated with transmitting information over the internet. Although SiteRx makes efforts to secure the Services, you acknowledge and agree that a perfectly secure environment is impossible, and you assume the risks associated with a connected environment. SiteRx is not responsible for implementing sufficient procedures and checkpoints on your internal systems to satisfy your requirements for accuracy of data input and output, backing up of your data, or implementing your internal protection from “viruses,” “worms,” “trojan horses” or other malicious or damaging computer software. SiteRx is not responsible for any conditions or defects on your premises or systems or those of any other third party, the safety or security of such premises or systems, or occurrences related to such premises or systems.

 

7.     Disclaimer Of Warranties

THE SERVICES, MATERIALS, AND ANY AND ALL RELATED INFORMATION OR SERVICES, INCLUDING ANY THIRD PARTY MATERIALS, SOFTWARE OR SERVICES, ARE PROVIDED “AS IS,” AND “AS AVAILABLE,” AND SITERX DISCLAIMS TO THE FULLEST EXTENT PERMISSIBLE BY LAW ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, NON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS AND WARRANTIES CONCERNING QUALITY, ACCURACY, OR TIMELINESS. WITHOUT ANY LIMITATION OF THE FOREGOING, SITERX DOES NOT WARRANT THAT THE SERVICES, AND ANY MATERIALS, RELATED INFORMATION OR SERVICES, INCLUDING ANY THIRD-PARTY MATERIALS, SOFTWARE OR SERVICES, WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, THAT THEY ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT ANY INFORMATION OR DATA STORED OR TRANSMITTED THROUGH OR IN CONNECTION WITH THE SERVICES WILL NOT BE LOST, CORRUPTED OR DESTROYED.

 

 

8.     Limitation Of Liability

SITERX SHALL NOT BE LIABLE TO YOU OR ANY USER FOR ANY INJURY, LOSS, CLAIM OR ANY DIRECT, EXEMPLARY, PUNITIVE, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES TO PROPERTY OR LIFE, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, LOSS OF DATA OR OTHER SUCH PECUNIARY LOSS) RESULTING FROM OR IN ANY WAY CONNECTED WITH YOUR OR ANY USER’S USE OF THE SERVICES, ANY MATERIALS, AND ANY RELATED INFORMATION OR SERVICES, INCLUDING ANY THIRD PARTY MATERIALS, SOFTWARE OR SERVICES, EVEN IF SITERX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF OR LIMITATION OR EXCLUSION OF CERTAIN TYPES OF WARRANTIES, DAMAGES, OR LIABILITIES, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU, BUT IN SUCH A CASE THE EXCLUSIONS AND LIMITATIONS SET FORTH IN THIS SECTION SHALL BE APPLIED TO THE GREATEST EXTENT ENFORCEABLE UNDER APPLICABLE LAW.

 

 

9.     Indemnification

You will, without limitation, defend, indemnify and hold SiteRx and its affiliates, and its and their respective licensors, agents, representatives, officers, directors, members, partners, and employees, harmless from and against any and all third-party claims, actions, liabilities, losses, damages, judgments, grants, costs, and expenses, including reasonable attorneys’ fees, arising out of (a) any use of the Services, or any part thereof, by you or (b) any alleged or actual breach of any of the terms of this Agreement or any representations or warranties hereunder by you, any party related to you, or any party acting upon your authorization.

 

10.  Termination

These Terms constitute a binding agreement between you and SiteRx until terminated, which SiteRx may do at any time, without notice, in SiteRx’s sole discretion. If you become dissatisfied with these Services, your only recourse is to immediately discontinue use of the Services.

 

11.  Notices

Except as explicitly stated otherwise, any notice shall be given by email to SiteRx at legal@siterx.com and to you at the email address you provide to SiteRx. Notice shall be deemed given 24 hours after email is sent, unless the sending party is notified that he email address is invalid.

 

12.  General Provisions

The laws of the State of New York shall govern this Agreement. Any dispute arising out of or relating to this Agreement shall be brought exclusively in courts located within the State and County of New York, and you consent to such jurisdiction as appropriate and convenient, and shall not contest such jurisdiction. These Terms, including the documents expressly incorporated by reference, constitutes the entire agreement between you and us with respect to the Services and any services rendered by SiteRx to you, and supersedes all prior or contemporaneous communications, whether electronic, oral or written. If any provision of these Terms is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be enforced to the maximum extent permissible by law so as to effect the intent of these Terms, and the remainder of these Terms shall continue in full force and effect. You agree that our performance under these Terms in accordance with their terms is performance in good faith. You agree that no joint venture, partnership, employment, or agency relationship exists between you and us as a result of these Terms or your use of the Services. SiteRx may assign its rights under these Terms, in whole or in part, to any person or entity at any time with or without your consent; however, you may not assign these Terms without SiteRx’s prior written consent, and any unauthorized assignment by you shall be null and void. In no event shall SiteRx, or its affiliates be liable to you for any damage, delay, or failure to perform resulting directly or indirectly from a force majeure event. The failure of either you, or SiteRx to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. All provisions of these Terms regarding representations and warranties, indemnifications, disclaimers and limitations of liability shall survive any termination of these Terms.

 

13.  Questions or Feedback

Questions or suggestions may be submitted to info@siterx.com.

If you or any User provides any ideas, feedback, suggestions, materials, information, opinions, or other input to SiteRx (“Feedback”), regardless of any accompanying communication, SiteRx has no obligation to review, consider, or implement such Feedback. All such submissions are made on a nonconfidential basis. SiteRx and its successors and assigns have an unconditional and unlimited right to use, reproduce, modify, and disclose such Feedback without any compensation or attribution, and you and each User waive and agree not to assert any so-called “moral rights” you or a User may have in the Feedback.

SiteRx Data Protection Agreement for Clinical Site Users

 

 

Last updated: May 1, 2023

 

  1. Introduction. This Data Protection Agreement (“DPA”) is entered into by and between SiteRx (the “Company”) and you (“Customer”). The Company, on the one hand, and Customer, on the other hand, are each referred to individually as a “Party” and together as the “Parties”. Pursuant to the Agreement, the Parties may create, receive, transmit or maintain Individually Identifiable Health Information (or “IIHI” as defined herein), through Company’s proprietary technology platform that assists in the identification and scheduling of potential clinical trial subjects for screening and enrollment by Customer (collectively the “Services”). Company may also collect, use and disclose personal information, other than IIHI, in connection with Customer’s or Customer end users’ use of the Services in accordance with Company’s Privacy Policy. To the extent Customer provides personal information to Company, Customer represents that it has complied with all applicable data privacy laws concerning its collection and disclosure of such information, and that it is not relying upon Company to discharge any of Customer’s obligations or responsibilities under applicable data privacy laws. With respect to the personal information that it receives from Customer or Customer’s end users, Company represents that it has and will independently comply with all obligations imposed by applicable data privacy laws upon data controllers, that it will not consider itself to be a joint data controller with Customer, and that it will not rely upon Customer to perform any of Company’s obligations as a data controller.

SUBJECT TO THE FOREGOING, BY USING THE SERVICES, YOU AGREE TO BE BOUND BY THIS DPA.

Please also refer to our Terms of Access into which this DPA is incorporated as if fully recited therein (“Terms of Access”). Capitalized terms that are not defined herein shall have the meaning ascribed to them in the Terms of Access.

  1. Definitions. Capitalized terms not otherwise defined in this DPA or the Terms of Access shall have the same meaning as those terms in the Privacy Rule and the Security Rule (defined below).

    1. Breach” when capitalized, “Breach” shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in the Terms of Access, the word shall have its ordinary contract meaning.

    2. Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103.

    3. Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Company creates, accesses or receives on behalf of Customer.

    4. HIPAA” means collectively, the Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, as amended and in effect.

    5. "Individually Identifiable Health Information" or “IIHI shall mean information that is a subset of health information, including demographic information collected from an individual, and (i) is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

    6. Protected Health Information” or “PHI” shall have the meaning set forth in the Privacy Rule, limited to information that Company creates, accesses or receives on behalf of Customer.

    7. Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D, and E, as currently in effect.

    8. Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subpart C.

    9. Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402, limited to the information created or received by Company from or on behalf of Customer.

  2. Company and Customer Obligations.

    1. Uses and Disclosures. Company shall not Use or further Disclose IIHI other than as permitted or required by this DPA, to perform Services or as Required By Law, provided that if performance of the Services involves Use and/or Disclosure of PHI, then the parties agree that this DPA shall constitute a Business Associate Agreement (“BAA”) in furtherance of the parties’ HIPAA compliance obligations. Further Company agrees that, to the extent applicable:

      1. its Use or Disclosure of PHI would not violate HIPAA if done by Customer; and

      2. its Use or Disclosure of PHI shall be limited to the minimum necessary to accomplish the permissible purpose(s) of the Use or Disclosure.

    2. Uses and Disclosures Permitted By Law. Company may use and disclose IIHI as permitted by law, provided that to the extent applicable, Company may also:

      1. Use PHI as is necessary for the proper management and administration of Company’s organization; to provide data aggregation services relating to the health care services of the Covered Entity; and to carry out the legal responsibilities of Company.

      2. Disclose PHI if the disclosure is Required By Law; or is subject to reasonable assurances obtained by Company from the third party to whom the PHI is disclosed that PHI will be held confidentially, securely, and Used or Disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and any breaches of confidentiality of PHI which become known to such third party will be promptly reported to Company.

    3. Privacy Rule. To the extent Company carries out one or more of Customer’s obligations under the Privacy Rule, Company shall comply with the requirements of HIPAA that apply to Customer in the performance of such obligation(s).

    4. Safeguards. The parties shall use appropriate and sufficient safeguards to prevent Use or Disclosure of IIHI or PHI other than the Uses and Disclosures permitted or required by this DPA. The parties shall comply with data protection requirements under applicable state, federal and international laws and regulations, including to the extent applicable the Security Rule with respect to PHI, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of IIHI or PHI.

    5. Reporting. The parties shall promptly report to each other, but no later than thirty (30) days after discovery, any Use or Disclosure of IIHI or PHI not permitted or required by the DPA or Terms of Access and any Security Incident of which it becomes aware. The parties agree that this section constitutes notice to each other of the ongoing existence and occurrence of attempted Unsuccessful Security Incidents. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Company’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of IIHI or PHI.

    6. Agents and Subcontractors. The parties shall ensure that any and all subcontractors that create, receive, maintain or transmit IIHI or PHI on behalf of a party agree, in writing prior to the subcontractors’ receipt of such IIHI or PHI, to the same terms and conditions of this DPA with respect to IIHI or PHI. Each subcontract agreement must contain the same restrictions and conditions applying to a party with respect to IIHI or PHI, including without limitation the provisions of this DPA. The parties shall make such agreements with its subcontractors available to the other party upon reasonable request.

    7. Individual Rights.

      1. Access and Amendment. To the extent required under applicable laws or regulations, each party shall cooperate with the other party to allow a party to carry out its obligations to make IIHI available for access or amendment as requested by data subjects.

      2. Patient Right to Request Accounting. To the extent required under applicable laws or regulations, each party shall cooperate with the other party to allow a party to carry out its obligations to make available to provide an accounting of disclosures to the subject of the IIHI.

    8. Audit. Each party shall make its internal practices, books, and records relating to the Use and Disclosure of PHI pursuant to this DPA available to the Secretary of Health and Human Services, upon request, solely for purposes of determining and facilitating each party’s compliance with HIPAA.

    9. De-identified Data. Company may de-identify IIHI or PHI in accordance with 45 C.F.R. § 164.514(b) and may Use or Disclose such de-identified data to the extent permitted under HIPAA and unless prohibited by applicable law. Company shall have the rights to the use and ownership of the De-Identified Data as set forth in the Terms of Access.

    10. Mitigation. Each party shall mitigate promptly, to the extent practicable, any harmful effect that is known to the party of a Use or Disclosure of IIHI or PHI by a party in violation of this DPA, the Privacy Rule, the Security Rule, or other applicable federal or state law.

    11. Breach. To the extent required under applicable laws or regulations, if a party has knowledge or a reasonable belief a Breach of IIHI or Unsecured Protected Health Information has occurred, such party shall notify the other party within fifteen (15) days of discovery and the parties shall cooperate with each other to investigate and respond to such Breach of IIHI or Unsecured Protected Health Information.

  3. Customer Obligations.

    1. Notice of Privacy Practices. Customer shall notify Company of limitation(s) in its notice of privacy practices to the extent such limitation affects Company’s permitted Uses or Disclosures of IIHI or PHI.

    2. Individual Permission. Customer shall notify Company of changes in, or revocation of, permission by an Individual to Use or Disclose IIHI or PHI, to the extent such changes affects Company’s permitted Uses or Disclosures.

    3. Restrictions. Customer shall notify Company of restriction(s) in the Use or Disclosure of IIHI or PHI that Customer has agreed to, to the extent such restriction affects Company’s permitted Uses or Disclosures.

  4. Term & Termination.

    1.  Term. The Term of this DPA shall begin on the Effective Date, and shall continue until all IIHI or PHI provided by Customer to Company is destroyed or returned to Customer. If it is infeasible to return or destroy all IIHI or PHI, this DPA shall continue for so long as IIHI is maintained by Company, which maintenance shall be in accordance with Section 4(c) herein.

    2. Termination.

      1. By Customer. Upon determination by Customer, in its reasonable discretion, of a material breach by Company of this DPA, Customer may terminate this DPA upon thirty (30) days’ notice; provided however, Customer shall not terminate if Company takes reasonable steps to mitigate harm resulting from the breach and otherwise agrees to comply with the terms of this DPA on a forward-looking basis within such thirty (30) day notice period.

      2. By Company. Upon determination by Company, in its reasonable discretion, of a material breach by Customer of the Terms of Access, Company may terminate this DPA upon thirty (30) days’ notice; provided however, Company shall not terminate if Customer takes reasonable steps to mitigate harm resulting from the breach and otherwise agrees to comply with the terms of this DPA on a forward-looking basis within such thirty (30) day notice period.

    3. Return on Termination. At termination of this DPA, the Terms of Access or the Customer’s right to access and use the Services, to the extent feasible, Company shall return or destroy all IIHI or PHI Company maintains in any form and shall retain no copies of IIHI, except for IIHI or PHI that has been De-identified such that it no longer protected under HIPAA. Notwithstanding anything herein to the contrary, if Company determines, in its reasonable discretion, the return or destruction of such IIHI is not feasible, Company shall extend the protections of this DPA to the remaining information and limit further Uses and Disclosures of IIHI or PHI to those purposes that make the return or destruction of IIHI or PHI infeasible.

    4. Survival. The terms of this Section shall survive the termination or expiration of this DPA.

  5. Required Disclosure. If Company is confronted with legal action to disclose any IIHI or PHI, Company shall, to the extent permitted, promptly notify Customer of such action. Thereafter, upon request by Customer, Company shall use reasonable efforts to assist Customer in obtaining a protective order or other similar order, and shall disclose only the minimum amount of IIHI or PHI that is required to be disclosed in order to comply with the legal action, whether or not a protective order or other order has been obtained.

  6. Compliance with Laws. Company shall comply with all applicable federal, state and local laws, rules and regulations.

  7. Conflict. Except as specifically required to implement the purposes of this DPA, and except to the extent inconsistent with this DPA, all terms of the Terms of Access shall remain in full force and effect. In the event of a conflict between the terms of the Terms of Access and this DPA, this DPA shall control. This DPA supersedes any and all other agreements between the parties related to this subject matter.

  8. No Third-Party Beneficiaries. Nothing express or implied in this DPA is intended to confer, nor shall anything herein confer, upon any person other than the Customer, Company and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

  9. Amendment. This DPA is subject to change. Subject to applicable law, Company may amend this DPA from time to time by making the revised DPA available to Customer. Customer’s continued use of the Services following our notice of changes to this DPA (or other method of legal acceptance) signifies acceptance of such changes. Please refer to the “Last updated” date above to see when this DPA was last updated.