Terms of Access for Clinical Site Users

people and a computer

Terms of Access for Clinical Site Users

people and a computer

Last updated: February 17, 2022

 

1. Introduction

These Terms of Access (“Terms”) describe the nature of this software as a service solution and any other provided services (“Platform”) which SiteRx, Inc. (“SiteRx”, “we”, “us”, or “our”) makes available to you, and the terms on which you may use it.

BY USING THIS PLATFORM OR ANY INFORMATION PROVIDED ON THIS PLATFORM, YOU AGREE TO BE BOUND BY THESE TERMS. PLEASE REVIEW THESE TERMS EACH TIME YOU USE THIS PLATFORM, SINCE THERE MAY BE CHANGES AND UPDATES FROM TIME TO TIME. YOUR CONTINUED USE OF THIS PLATFORM AFTER SUCH CHANGES ARE POSTED (OR OTHER METHOD OF LEGAL ACCEPTANCE) WILL CONSTITUTE YOUR ACCEPTANCE OF SUCH CHANGES.

These Terms incorporate by reference our Privacy Policy, located at Privacy Policy and Business Associate Agreement, located at BAA, as each may be amended from time to time and which are made a part of these Terms as if recited here in full.

If you do not agree to these Terms, you must click the “I do not accept” or similar button, and immediately cease and refrain from using the Platform. These Terms, along with any additional terms or policies incorporated herein by reference, represents the entire agreement between you and SiteRx concerning the Platform, and these Terms supersede and replace any prior proposal, representation, or understanding you may have had with SiteRx relating to the Platform, whether orally or in writing.

These Terms are subject to change. If these Terms change, we will let you know by posting the revised Terms on the Platform and/or otherwise making you aware of the changes. Your continued use of the Platform following our notice of changes to these Terms (or other method of legal acceptance) means you accept such changes. Please refer to the “Last updated” date above to see when these Terms were last updated.

We seek, at all times while these Terms are effective, to provide the Platform to you in good faith, in accordance with these Terms and subject to applicable law.

 

2. Right to Access and Use

Conditioned on your compliance with these Terms, we hereby grant to you the limited, revocable, non-assignable, non-transferable, non-sublicensable and non-exclusive right to access and use the Platform for the term and purpose as set out in, and subject to the terms and conditions of, these Terms.

You represent and warrant that you have the right, authority and capacity to bind and enter into this BAA on behalf of the business with whom you are employed or to whom you provide services (“Business”).

Any access to or use of the Platform, other than as expressly set forth herein, by you or any person, business, corporation, government organization or any other entity is strictly forbidden and is a violation of these Terms.

 

3. Ownership

This Platform is owned and operated by SiteRx. All names, logos, and materials contained in the Platform (“Materials”) are either owned by or licensed to SiteRx. SiteRx and its applicable licensors retain all proprietary rights in and to the Platform and Materials. Any downloading, copying, transmission, publication or other unauthorized use of the Materials, in any form or by any means, including but not limited to electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of SiteRx, is strictly prohibited.

SiteRx may change, suspend or discontinue any aspect of the Platform at any time, including the provisions relating to privacy or the availability of any Platform feature, database or content. SiteRx may also impose limits on certain features and services or restrict your access to all or part of the Platform without notice or liability.

 

4. Rules of Conduct

You agree that you will not violate any applicable law or regulation, including applicable data security and privacy laws, in connection with your use of the Platform.

You must keep your user name, password, and any other information needed to login to the Platform, if applicable, confidential and secure. SiteRx is not responsible for any unauthorized access to your account by others.

The following activities are not permitted on the Platform and are a material breach of these Terms:

  • Using the Platform in any manner or for any purpose other than as expressly permitted by the Service Agreement or any Platform documentation;

  • Using the Platform in violation of any local, state, or federal law or regulation, including applicable data security and privacy laws;

  • Selling, lending, renting, reselling, leasing, sublicensing or otherwise transferring any of the rights granted herein to any third party;

  • Modifying, altering, tampering with, repairing or otherwise creating derivative works of any software included in or used to provide the Platform;

  • Reverse engineering, disassembling or decompiling the Platform or any software contained therein, or attempting to discover or recreate the source code to the Platform;

  • Removing, obscuring or altering any proprietary rights notices related to the Platform;

  • Accessing or using the Platform in a way intended to avoid incurring fees or exceeding usage limits or quotas;

  • Sending unauthorized commercial communications or messages on the Platform, including advertisements, promotions, marketing materials, or solicitations of any kind;

  • Storing or transmitting, on or via the Platform, any files, code, data, information or other materials (“Data”) containing unlawful, defamatory, threatening, pornographic, abusive, libelous or otherwise objectionable material of any kind or nature, store or transmit any material that encourages conduct that could constitute a criminal offense;

  • Storing or transmitting, on or via the Platform, any Data that violate any law or regulation;

  • Storing or transmitting, on or via the Platform, any Data that violate the intellectual property rights or rights to the publicity or privacy of others;

  • Storing or transmitting, on or via the Platform, any Data that contain software viruses or other harmful or deleterious computer code, files or programs such as Trojan horses, worms, time bombs or cancelbots;

  • Interfering with or disrupting servers or networks that provide or support the Platform or other users’ access to or use of the same;

  • Accessing or attempting to access the Platform in an unauthorized manner, portions of the Platform that are restricted from general access, or other users’ accounts, computer systems or networks not covered by this Agreement, through password mining or any other means;

  • Causing, as determined in SiteRx’s sole discretion, an inordinate burden on SiteRx’s Platform, resources, or capacity; and

  • Engaging in any other conduct that is contrary to the purpose of this Platform or, as determined by SiteRx in its sole discretion, exposes SiteRx to any other person or entity related to this Platform to any liability or detriment.

You further represent and warrant that, as a provider of services to clinical trials, you and all your personnel: (a) are fully licensed and permitted in accordance with applicable laws and regulations to provide services to clinical trial sponsors and study participants, and (b) shall perform their services, duties, and obligations to clinical trial sponsors and study participants in a good and workmanlike manner, in accordance with good medical practice and good clinical practice, and in accordance with all applicable laws and regulations, without causing damage or injury to any party,

Notwithstanding anything herein to the contrary, SiteRx reserves the right, in its sole discretion, to protect users from violators and violations of these rules of conduct, including but not limited to, restricting your access to the Platform, restricting your ability to upload Materials, immediately terminating or suspending your access to the Platform, or terminating your access to the Platform by blocking certain IP addresses from accessing the Platform.

Notwithstanding the foregoing, we have the unlimited right to terminate your access to the Platform at any time, with or without cause, which shall not be limited to violations of these rules of conduct.

 

5. Consent to Data Collection and Use

You consent to collection and use of your data in accordance with our Privacy Policy.

You are under no obligation to submit anything to us or through use of the Platform. However, in order for us to provide the Platform, we may need your authorization to process, display, reproduce, create derivative works, and otherwise use the materials and data that you make available to us, if any. Therefore, if you choose to submit any materials and/or data through or on the Platform, or otherwise make available any materials or data through the Platform or our services, you hereby grant us a perpetual, irrevocable, transferrable, sub-licensable through multiple tiers, non-exclusive, worldwide, royalty-free license to reproduce, use, modify, display, perform, distribute, translate and create derivative works from any such materials or data, in accordance with the Privacy Policy.

By submitting any materials or data to us you hereby agree, warrant and represent that: (a) the provision of the materials and data is not a violation of any third-party’s rights, and is subject to appropriate consents where applicable; (b) all such materials and data are accurate and true, and (c) you are not entitled to compensation or attribution from us in exchange for the materials and/or data.

You acknowledge that we are under no obligation to maintain the Platform, or any information, materials, data, or other matter you submit, post or make available to or on the Platform. We reserve the right to withhold, remove and or discard any such material at any time.

If the Business, or you on behalf of the Business, grants SiteRx access to Business’ systems, then you, on behalf of yourself and such Business, represent and warrant that you have the right, authority and capacity to grant such access to SiteRx, and acknowledge that SiteRx may book and schedule clinical trial subjects using such access.

You acknowledge that the Platform and any integrations or data sharing between us are not meant for (a) the processing or sharing of information generated in the course of conducting a clinical trial or (b) the use in any clinical trial (including, without limitation, in any regulatory submission), in each case, other than in accordance with applicable law and in compliance with the applicable protocol or other requirements of the clinical trial sponsor. You also agree not to share with us any clinical trial data through the Platform or otherwise other than in accordance with applicable law.

To the extent that you provide us information considered to be protected health information under applicable law, you hereby grant permission to SiteRx to access and use data shared with SiteRx to create deidentified data, in accordance with, and as defined by, 45 C.F.R. § 164.514 (the “Deidentified Data”). In addition, you hereby give SiteRx a limited, nonexclusive, irrevocable, sublicense (including through multiple tiers), perpetual, royalty free, fully-paid up license to aggregate, compile, decompile, manipulate, reproduce, modify, supplement, adapt, translate, create derivative works from, and otherwise fully use and disclose the Deidentified Data. You agree that SiteRx shall have the exclusive ownership rights, and the exclusive right to use, such Deidentified Data.

 

6. Important Notices

There are general risks associated with transmitting information over the internet. Although SiteRx makes efforts to secure the Platform, you acknowledge and agree that a perfectly secure Platform is impossible, and you assume the risks associated with a connected Platform. SiteRx is not responsible for implementing sufficient procedures and checkpoints on your internal systems to satisfy your requirements for accuracy of data input and output, backing up of your data, or implementing your internal protection from “viruses,” “worms,” “trojan horses” or other malicious or damaging computer software.

The Platform may be accessed on the premises, or using the systems, of a service provider providing clinical services related to clinical trials described on the Platform (“Clinical Site”). SiteRx is not responsible for any conditions or defects on Clinical Site’s premises, the safety or security of Clinical Site’s premises or systems, or occurrences related to Clinical Site’s premises or systems.

SiteRx does not credential, accredit or determine the qualifications of the practitioners, healthcare providers or facilities that may use the Platform. SiteRx makes no claim or representation regarding, and accepts no responsibility for, the quality or reliability of any services or products provided by third parties using the Platform. SiteRx does not endorse or warrant the accuracy or reliability of any advice, opinion, test results, statement or other information displayed, distributed or otherwise accessible on or through this Platform.

SiteRx does not sponsor or provide regulatory or clinical services related to clinical trials described on the Platform. SiteRx makes no claim or representation regarding, and accepts no responsibility for, any such clinical trials. SiteRx does not endorse or warrant the efficacy or appropriateness of any clinical trial described on the Platform.

SITERX DOES NOT DELIVER MEDICAL OR OTHER HEALTHCARE SERVICES TO INDIVIDUALS AND IS NOT LICENSED TO PRACTICE MEDICINE. THE PLATFORM IS NOT INTENDED TO PROVIDE ADVICE OR GUIDANCE CONCERNING THE MEDICAL TREATMENT OR DIAGNOSIS OF ANY PERSON OR TO BE USED TO SHARE OR PROCESS ANY INFORMATION CREATED DURING THE CONDUCT OF A CLINICAL TRIAL.

Individuals are advised to consult a licensed health care practitioner when making healthcare decisions. Articles, commentary and other information contained on the Platform are intended to be for general academic and illustrative purposes; they are not intended to guide the treatment or diagnosis of any individual. Users of the Platform should seek specific examination, advice, evaluation and treatments from healthcare providers of their choice.

THIS PLATFORM HAS NOT BEEN FDA APPROVED AS A MEDICAL DEVICE, AND IS NOT INTENDED TO BE USED FOR MEDICAL PURPOSES, INCLUDING USE IN THE DIAGNOSIS, MONITORING, TREATMENT, CURE OR PREVENTION OF DISEASE IN, OR STATES OF HEALTH OF, HUMANS OR OTHER ANIMALS. YOU MAY NOT, AND SHALL NOT PERMIT OTHERS, TO USE THIS PLATFORM IN CONNECTION WITH MEDICAL PURPOSES, INCLUDING USE IN THE DIAGNOSIS, MONITORING, TREATMENT, CURE OR PREVENTION OF DISEASE IN, OR PHYSIOLOGICAL STATUS OF, ANY HUMANS OR OTHER ANIMALS.

 

7. Disclaimer Of Warranties

THE PLATFORM, ANY MATERIALS AND ANY RELATED INFORMATION OR SERVICES, INCLUDING ANY THIRD PARTY MATERIALS, SOFTWARE OR SERVICES, ARE PROVIDED “AS IS,” AND “AS AVAILABLE,” AND SITERX DISCLAIMS TO THE FULLEST EXTENT PERMISSIBLE BY LAW, ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, NON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS AND WARRANTIES CONCERNING QUALITY, ACCURACY, OR TIMELINESS, ARE DISCLAIMED. WITHOUT ANY LIMITATION OF THE FOREGOING, SITERX DOES NOT WARRANT THAT THE PLATFORM, AND ANY MATERIALS, RELATED INFORMATION OR SERVICES, INCLUDING ANY THIRD PARTY MATERIALS, SOFTWARE OR SERVICES, WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, THAT THEY ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT ANY INFORMATION OR DATA STORED OR TRANSMITTED THROUGH THE PLATFORM WILL NOT BE LOST, CORRUPTED OR DESTROYED.

 

8. Limitation Of Liability

SITERX SHALL NOT BE LIABLE FOR ANY INJURY, LOSS, CLAIM OR ANY DIRECT, EXEMPLARY, PUNITIVE, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES TO PROPERTY OR LIFE, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, LOSS OF DATA OR OTHER SUCH PECUNIARY LOSS) RESULTING FROM OR IN ANY WAY CONNECTED WITH YOUR USE OF THE PLATFORM ANY MATERIALS AND ANY RELATED INFORMATION OR SERVICES, INCLUDING ANY THIRD PARTY MATERIALS, SOFTWARE OR SERVICES, EVEN IF SITERX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT WILL SITERX’S TOTAL AGGREGATE AND CUMULATIVE LIABILITY TO YOU FOR ANY AND ALL CLAIMS OF ANY KIND ARISING HEREUNDER EXCEED $500.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF OR LIMITATION OR EXCLUSION OF CERTAIN TYPES OF WARRANTIES, DAMAGES, OR LIABILITIES, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU, BUT IN SUCH A CASE THE EXCLUSIONS AND LIMITATIONS SET FORTH IN THIS SECTION SHALL BE APPLIED TO THE GREATEST EXTENT ENFORCEABLE UNDER APPLICABLE LAW.

9. Indemnification

You will, without limitation, defend, indemnify and hold SiteRx and its affiliates, and its and their respective licensors, agents, representatives, officers, directors, members, partners, and employees, harmless from and against any and all third-party claims, actions, liabilities, losses, damages, judgments, grants, costs, and expenses, including reasonable attorneys’ fees, arising out of (a) any use of the Platform, or any part thereof, by you; (b) any alleged or actual act or omission in violation of applicable law by you, (c) any alleged or actual breach of any of the terms of this Agreement or any representations or warranties hereunder by you, any party related to you, or any party acting upon your authorization; or (d) any injury or damaged alleged to have been suffered as a result of the use or consumption by anyone of any materials or products as a part of your services.

 

10. Termination

These Terms constitute a binding agreement between you and SiteRx until terminated by you or SiteRx, which SiteRx may do at any time, without notice, in SiteRx’s sole discretion. If you become dissatisfied with this Platform, your only recourse is to immediately discontinue use of the Platform.

 

11. Notices

Except as explicitly stated otherwise, any notice shall be given by email to SiteRx at info@siterx.com and to you at the email address you provide to SiteRx. Notice shall be deemed given 24 hours after email is sent, unless the sending party is notified that he email address is invalid.

 

12. General Provisions

The laws of the State of New York shall govern this Agreement. Any dispute arising out of or relating to this Agreement shall be brought exclusively in courts located within the State and County of New York, and you consent to such jurisdiction as appropriate and convenient, and shall not contest such jurisdiction. These Terms, including the documents expressly incorporated by reference, constitutes the entire agreement between you and us with respect to the Platform and any services rendered by SiteRx to you, and supersedes all prior or contemporaneous communications, whether electronic, oral or written. If any provision of these Terms is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be enforced to the maximum extent permissible by law so as to effect the intent of these Terms, and the remainder of these Terms shall continue in full force and effect. You agree that our performance under these Terms in accordance with their terms is performance in good faith. You agree that no joint venture, partnership, employment, or agency relationship exists between you and us as a result of these Terms or your use of the Platform. SiteRx may assign its rights under these Terms, in whole or in part, to any person or entity at any time with or without your consent; however, you may not assign these Terms without SiteRx’s prior written consent, and any unauthorized assignment by you shall be null and void. In no event shall SiteRx, or its affiliates be liable to you for any damage, delay, or failure to perform resulting directly or indirectly from a force majeure event. The failure of either you, or SiteRx to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. All provisions of these Terms regarding representations and warranties, indemnifications, disclaimers and limitations of liability shall survive any termination of these Terms.

 

13. Questions or Feedback

Questions or suggestions may be submitted to info@siterx.com.

If you provide any ideas, feedback, suggestions, materials, information, opinions, or other input to SiteRx (“Feedback”), regardless of any accompanying communication, SiteRx has no obligation to review, consider, or implement your Feedback. All such submissions are made on a non-confidential basis. SiteRx and its successors and assigns have an unconditional and unlimited right to use, reproduce, modify, and disclose such Feedback without any compensation or attribution, and you waive and agree not to assert any so-called “moral rights” you may have in the Feedback.

BAA for Clinical Site Users

 

 

Last updated: September 26, 2021

 

1. Introduction

To the extent applicable, this Business Associate Agreement (this “BAA”) describes the rights and obligations of SiteRx (for purposes of this BAA, the “Business Associate”) and you and/or the Business, as applicable (the “Business Entity”), applicable to Business Associate’s provision to you of the Platform and other analytic services (for purposes of this BAA, the “Services”), and the terms and conditions related to the performance of such Services.

The performance of the Services may involve the Use and/or Disclosure of Protected Health Information (defined below), and the parties are entering into this BAA in furtherance of the parties’ HIPAA compliance obligations. You represent and warrant that you have the right, authority and capacity to enter into this BAA on behalf of the Business Entity and bind Business Entity hereto. This BAA is applicable only to the extent that Business Entity is a Covered Entity or business associate to a Covered Entity under HIPAA.

SUBJECT TO THE FOREGOING, BY USING THIS PLATFORM OR ANY INFORMATION PROVIDED ON THIS PLATFORM, YOU AGREE TO BE BOUND BY THIS BAA.

Please also refer to our Terms of Access at Terms Of Access, which are incorporated as if fully recited herein (“Terms of Access”). Capitalized terms that are not defined herein shall have the meaning ascribed to them in the Terms of Access.

 

2. Definitions

Capitalized terms not otherwise defined in this BAA shall have the same meaning as those terms in the Terms of Access or in the Privacy Rule and the Security Rule (defined below).

  1. Breach” when capitalized, “Breach” shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in the Terms of Access, the word shall have its ordinary contract meaning.

  2. Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103.

  3. Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Business Associate creates, accesses or receives on behalf of Covered Entity.

  4. HIPAA” means collectively, the Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, as amended and in effect.

  5. Protected Health Information” or “PHI” shall have the meaning set forth in the Privacy Rule, limited to information that Business Associate creates, accesses or receives on behalf of Covered Entity. PHI includes EPHI.

  6. Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D, and E, as currently in effect.

  7. Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subpart C.

  8. Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

 

3. Business Associate Obligations.

  1. Uses and Disclosures. Business Associate shall not Use or further disclose PHI other than as permitted or required by this BAA, to perform Services or as Required By Law, provided that:
     
    • Such Use or Disclosure would not violate HIPAA if done by Business Entity; and

    • Such Use or Disclosure shall be limited to the minimum necessary to accomplish the permissible purpose(s) of the Use or Disclosure.

  2. Uses and Disclosures Permitted By Law. As permitted by the Privacy Rule, Business Associate may:
     
    • Use PHI: as is necessary for the proper management and administration of Business Associate’s organization; to provide data aggregation services relating to the health care services of the Covered Entity; and to carry out the legal responsibilities of Business Associate.

    • Disclose PHI if the disclosure is Required By Law; or is subject to reasonable assurances obtained by Business Associate from the third party to whom the PHI is disclosed that PHI will be held confidentially, securely, and Used or Disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and any breaches of confidentiality of PHI which become known to such third party will be promptly reported to Business Associate.

  3. Privacy Rule. To the extent Business Associate carries out one or more of Business Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of HIPAA that apply to Business Entity in the performance of such obligation(s).
  4. Safeguards. Business Associate shall use appropriate and sufficient safeguards to prevent Use or Disclosure of PHI other than the Uses and Disclosures permitted or required by this BAA. Business Associate shall comply with the Security Rule with respect to EPHI, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI.

  5. Reporting. Business Associate shall promptly report, but no later than ten (10) days after discovery, to Business Entity any Use or Disclosure of PHI not permitted or required by the Terms of Access and any Security Incident of which it becomes aware in accordance with HIPAA. The parties agree that this section constitutes notice by Business Associate to Business Entity of the ongoing existence and occurrence of attempted Unsuccessful Security Incidents. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

  6. Agents and Subcontractors. Business Associate shall ensure that any and all subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing prior to the subcontractors’ receipt of such PHI, to the same terms and conditions of this BAA with respect to PHI. Each subcontract agreement must contain the same restrictions and conditions applying to Business Associate with respect to PHI, including without limitation the provisions of this BAA. Business Associate shall make such agreements with its subcontractors available to Business Entity upon Business Entity’s request.

  7. Patient Rights.
     
    • Access and Amendment. Business Associate does not expect to maintain a Designated Records Set under the Services. However, to the extent that Business Associate maintains a Designated Record Set, Business Associate shall: 
       
      • Notify Business Entity as promptly as reasonably practicable upon receipt of a request from an Individual for access to or a copy of such Individual’s PHI or to amend such Individual’s PHI;

      • Make PHI available to Business Entity, as reasonably requested by Business Entity and in accordance with 45 C.F.R. § 164.524 to enable Business Entity to respond to the Individual’s request for access; and

      • Upon receipt of notice from Business Entity, promptly amend any portion of the PHI so that Business Entity may meet is amendment obligations under 45 C.F.R. § 164.526.

    • Patient Right to Request Accounting. Business Associate shall document and make available to Business Entity the information required to provide an accounting of disclosures within ten (10) days of receipt of Business Entity’s request or, as directed by Business Entity, to the subject of the PHI, in compliance with the requirements of 45 C.F.R. §164.528. If any Individual requests an accounting from Business Associate, Business Associate shall, within two (2) business days, notify Business Entity of the details of such request. Business Associate agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.

  8. Audit. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of Business Entity available to the Secretary of Health and Human Services, upon request, solely for purposes of determining and facilitating Business Entity’s compliance with HIPAA.

  9. De-identified Data. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and may Use or Disclose such de-identified data to the extent permitted under HIPAA and unless prohibited by applicable law. Business Associates shall have the rights to the use and ownership of the De-Identified Data as set forth in the Terms of Access.

  10. Mitigation. Business Associate shall mitigate promptly, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this BAA, the Privacy Rule, the Security Rule, or other applicable federal or state law.

  11. Breach. If Business Associate has knowledge or a reasonable belief a Breach of Unsecured Protected Health Information has occurred, Business Associate shall notify the Business Entity within fifteen (15) days of discovery. Such notification shall include, to the extent possible, the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, Used or Disclosed during the Breach, along with any other information that the Business Entity will be required to include in its notification to the Individual, the media and/or the Secretary and a description of the Business Associate’s investigation, mitigation, and prevention efforts.

 

4. Business Entity Obligations

  1. Notice of Privacy Practices. Business Entity shall notify Business Associate of limitation(s) in its notice of privacy practices to the extent such limitation affects Business Associate’s permitted Uses or Disclosures.

  2. Individual Permission. Business Entity shall notify Business Associate of changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent such changes affects Business Associate’s permitted Uses or Disclosures.

  3. Restrictions. Business Entity shall notify Business Associate of restriction(s) in the Use or Disclosure of PHI that Business Entity has agreed to, to the extent such restriction affects Business Associate’s permitted Uses or Disclosures.

 

5. Term & Termination

  1. Term. The Term of this BAA shall begin on the Effective Date, and shall continue until all PHI provided by Business Entity to Business Associate is destroyed or returned to Business Entity. If it is infeasible to return or destroy all PHI, this BAA shall continue for so long as PHI is maintained by Business Associate, which maintenance shall be in accordance with Section 4(c) herein.

  2. Termination.
     
    • By Business Entity. Upon determination by Business Entity, in its reasonable discretion, of a material breach by Business Associate of this BAA, Business Entity may terminate this BAA upon thirty (30) days’ notice; provided however, Business Entity shall not terminate if Business Associate takes reasonable steps to mitigate harm resulting from the breach and otherwise agrees to comply with the terms of this BAA on a forward-looking basis within such thirty (30) day notice period.

    • By Business Associate. Upon determination by Business Associate, in its reasonable discretion, of a material breach by Business Entity of the Terms of Access, Business Associate may terminate this BAA upon thirty (30) days’ notice; provided however, Business Associate shall not terminate if Business Entity takes reasonable steps to mitigate harm resulting from the breach and otherwise agrees to comply with the terms of this BAA on a forward-looking basis within such thirty (30) day notice period.

  3. Return on Termination. At termination of this BAA, the Terms of Access or the Business Entity’s right to access the Platform, to the extent feasible, Business Associate shall return or destroy all PHI Business Associate maintains in any form and shall retain no copies of PHI, except for PHI that has been De-identified such that it no longer protected under HIPAA. Notwithstanding anything herein to the contrary, if Business Associate determines, in its reasonable discretion, the return or destruction of such PHI is not feasible, Business Associate shall extend the protections of this BAA to the remaining information and limit further Uses and Disclosures of PHI to those purposes that make the return or destruction of PHI infeasible.

  4. Survival. The terms of this Section shall survive the termination or expiration of this BAA.

 

6. Required Disclosure

If Business Associate is confronted with legal action to disclose any PHI, Business Associate shall, to the extent permitted, promptly notify Business Entity of such action. Thereafter, upon request by Business Entity, Business Associate shall use reasonable efforts to assist Business Entity in obtaining a protective order or other similar order, and shall disclose only the minimum amount of PHI that is required to be disclosed in order to comply with the legal action, whether or not a protective order or other order has been obtained.

 

7. Compliance with Laws

Business Associate shall comply with all applicable federal, state and local laws, rules and regulations. To the extent that Business Entity’s operations constitute a “Part 2 Program” as defined in the federal alcohol and drug rehabilitation regulations at 42 C.F.R. Part 2 (“Part 2”), and PHI provided to Business Associate contains “records” as defined in 42 C.F.R. § 2.11 (“Substance Use Disorder Records”), Business Associate acknowledges that, with respect to Substance Use Disorder Records and in receiving, storing, processing, or otherwise dealing with Substance Use Disorder Records, Business Associate is fully obligated and bound to comply with Part 2. Business Associate (i) shall use, disclose, and release Substance Use Disorder Records in accordance with Part 2, and (ii) if necessary, will resist in judicial proceedings any efforts to obtain access to Substance Use Disorder Records and patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by Part 2. With respect to the Part 2 Program, Business Associate also will be a qualified service organization as defined under Part 2.

 

8. Conflict

Except as specifically required to implement the purposes of this BAA, and except to the extent inconsistent with this BAA, all terms of the Terms of Access shall remain in full force and effect. In the event of a conflict between the terms of the Terms of Access and this BAA, this BAA shall control. This BAA supersedes any and all other agreements between the parties related to this subject matter.

 

9. No Third-Party Beneficiaries

Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Business Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

 

10. Amendment

This BAA is subject to change. Subject to applicable law, Business Associate may amend this BAA from time to time by posting the revised BAA on the Platform and/or otherwise making Business Entity aware of the changes. Business Entity’s continued use of the Platform following our notice of changes to this BAA (or other method of legal acceptance) signifies acceptance of such changes. Please refer to the “Last updated” date above to see when this BAA was last updated.