LAST UPDATED: DECEMBER 05, 2023

DentalRay Customer Agreement

This DentalRay Teleradiology Consulting Services Agreement is entered into by and between DentalRay, Inc., a Utah corporation (“DentalRay,” “Company,”) a physician owned entity contracting with DentalRay (collectively “we,” “us,” or “our”) and you and your affiliates (“Practice,” “you,” or “your”), and governs your acquisition and use of the Services via the Platform (each as defined below). By (i) checking a box indicating your acceptance, (ii) executing an Order Form that references this Agreement, or (iii) accessing or using the Platform, you agree to be bound by this Agreement.

If you are accessing and using the Platform on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to these terms. In that case, “you”, “your” and “Practice” will refer to that company or other legal entity.

This Agreement is effective between us as of the date of your accepting this Agreement (the "Effective Date"").

Services

We provide a proprietary software platform (the “Platform”) connecting dental professional and dental specialists with independent contractor radiologists licensed in your state through a physician owned entity (the “Specialists”) to deliver radiological interpretations (the “Services”).

The Specialists will furnish the Services in accordance with all applicable federal, state and local laws, statutes, ordinances and regulations, and in accordance with generally accepted medical and ethical standards, including but not limited to, accreditation standards, prevailing in the community at the time the Services are rendered.

We and the Specialists will be bound by and comply with all of your written rules, regulations, policies and procedures in existence as of the Effective Date and as may be adopted during the term of this Agreement.

You acknowledge and agree that the Specialists will not be required to devote their entire working time to duties hereunder, but may continue their practice of medicine independently, which practice is a wholly separate professional activity of the Specialists; provided that such other activities do not hinder the Specialists’ ability to satisfy all obligations and standards of performance to you under this Agreement.

You are responsible for providing or arranging, at your sole cost and expense, for all hardware, software and equipment, compatible with our hardware and software, to be utilized at your site. You will ensure that you have all network and security systems and equipment compatible with our network in order to utilize the Platform.

DentalRay Is Not a Provider of Medical Services

You expressly acknowledge and agree that we only provide a software platform connecting dental professionals and dental specialists with subspecialist physicians trained in radiology. We do not have control over or the right to direct the medical decision making or methods by which the Specialists perform the Services. As a result, we have no liability of any kind with respect to any aspect of the Services as they relate to the diagnosis or treatment of any patient.

Scans and Radiology Reports

Throughout this Agreement, DentalRay, its employees, or software will transfer radiological scans (each, a “Scan”) performed by you through the CBCT machine to DentalRay’s network to which the DentalRay Platform is linked. A Specialist will deliver a report to you (an “Overread Report”) interpreting the Scan and reporting any incidental findings, including but not limited to critical incidental findings. You may elect to receive an additional report (each, a “additional report” “OMR Report” or a 3rd party “AI Report Generator” etc. and together with an Overread Report, a “Report”) from the Specialist, in which the Specialist will interpret the Scan, report any incidental findings, and provide a comprehensive description of each anatomical area represented in the Scan. Specialists will exercise commercially reasonable efforts to deliver the Report within 72 hours after receipt of a Scan in the Platform. Please note that Specialists only provide Reports on 3D radiological scans; any requests for a 2D radiological scan Report must be requested separately by you in writing.

You are solely responsible for obtaining any necessary consent(s) from patients relating to the provision of teleradiology services.

We will archive each final Report for a period of [seven (7) years] from the date Services are rendered, without any additional charge to you. We reserve the right to suspend or revoke access of any of your representatives who have access to the archives of each Report if such individual is adversely affecting the system, as determined in our discretion.

We will also provide a copy of a Report upon written request or legal process by authorized government agencies without charge and pursuant to legal process in private litigation upon payment of reasonable expenses; provided, that upon receipt of legal process in private litigation, we will notify you in writing prior to delivery of subpoenaed records. In connection with private litigation, we reserve the right to consult counsel and to require payment of its legal fees by the party demanding the subpoenaed records. We will have no liability to you or any other person without a showing of bad faith or willful misconduct for providing any patient records to governmental agencies and in private litigation.

Fees; Payment Obligations

You agree to pay the fees for the Services (the “Fees”) as set forth in the ordering document, quote, or online order specifying the Services to be provided that is entered into between us, including any addenda and supplements thereto (the “Order Form”). Unless otherwise agreed to between us in writing, the Services are provided on an ongoing, per-license subscription-basis including automatically recurring payments for periodic charges, according to the terms and conditions of this Agreement. Except as otherwise specified herein or in an Order Form, (i) fees are based on Services subscriptions and not actual usage, (ii) payment obligations are non-cancelable and fees paid are non-refundable, and (iii) quantities purchased cannot be decreased during the relevant subscription term.

Payment for all Fees is due within thirty (30) days of the invoice date. If we are unable to process/receive the Fees when due and owing, payment shall be considered overdue, and we will have the right to charge interest on all overdue amounts at the annual rate of 12%, compounded monthly, or the maximum lawful amounts, whichever is less. Additionally, after payment becomes overdue, we will have the right to (i) immediately suspend your access to the Platform, (ii) immediately suspend our performance of the Services, and/or (iii) seek to enforce your payment obligations, including through the use of third-party services.

You agree that the payment method for the Fees will be via credit card, ACH, or direct debit. As such, you authorize us to charge the Fees automatically. If you elect to pay by credit card, then you are responsible for both (i) enabling auto-recharge on your account, and (ii) ensuring that your account has a sufficient positive balance to cover all Fees when due.

The Fees are exclusive of all taxes, and you agree to pay any applicable taxes or levies, whether domestic or foreign, other than taxes based on our income.

We reserve the right to increase Fees for any Services upon sixty (60) days’ prior written notice.

If you dispute one or more items in an invoice in good faith, promptly notify us (and in any event before the due date thereof) in writing of the item(s) under dispute and the reasons therefor. You may withhold payment of the disputed portion of the invoice until the resolution is resolved; provided, however, that any undisputed portion shall be paid within the time period specified.

We will not bill or collect from any of your patients or payers for the Services provided by the Specialists pursuant to the terms of this Agreement. You are solely responsible to pay our Fees. The failure of a patient, a patient’s insurance provider, governmental agency or other payor to pay you for a case does not vitiate your obligation to pay us as provided herein. You are solely responsible for collecting fees for services you render to your patients.

Platform Fees

Platform specific fees, if applicable, are subscription based. Platform fees are based on Services subscriptions and not actual usage. Payment obligations are non-cancelable and fees paid are non-refundable, and quantities purchased cannot be decreased during the relevant subscription term.

Term; Termination

The term of this Agreement shall commence on the Effective Date and shall continue for the time specified in the applicable Order Form, unless sooner terminated as provided herein. The Agreement will automatically renew for additional one (1) year terms unless either party notifies the other at least sixty (60) days prior to the end of any term that it does not wish the Agreement to renew.

You and we may terminate this Agreement by providing no less than ninety (90) days’ written notice of termination to the other. This Agreement will terminate at the end of the applicable notice period. Additionally, you and we may terminate this Agreement upon written notice to the other (i) if the other party breaches any term of this Agreement and (ii) fails to cure that breach within fifteen (15) days after receipt of written notice specifying the alleged breach. Finally, you and we may terminate this Agreement with seven (7) days’ written notice upon the other party’s general assignment for the benefit of creditors, the other party’s petition for relief in bankruptcy or similar laws for the protection of debtors upon the initiation of such proceedings against the other party if the same are not dismissed within forty-five (45) days of service, or upon notice of a finding that the other party is insolvent under applicable law.

HIPAA and Privacy Requirements

Our services, process, security, confidentiality, disclosure policies, administrative polices, offices and data center and archive comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and, effective February 17, 2010, under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and regulations, as amended and in effect from time to time. If you are a Covered Entity or Business Associate, as defined in HIPAA, each of us agree to the terms of our Business Associated Addendum (currently available at https://dentalray.com/customer-terms/#HBAA), which may be amended from time, and which is specifically incorporated herein by reference.

Insurance

You will maintain or cause to be maintained professional and general liability insurance covering professional malpractice of not less than one million dollars ($1,000,000) per claim and three million dollars ($3,000,000) in the aggregate, covering you, your agents and employees, including coverage for such entity’s or person’s performance of duties and obligations under this Agreement. All insurance policies shall name DentalRay, Inc. as an additional insured, and shall contain a waiver of subrogation against us, our employees, and agents, including any physician owned entity with which we have a contractual relationship. You will provide, upon request, a copy of an endorsement providing such coverage.

Independent Contractors

Nothing contained in this Agreement shall create or be construed as creating a partnership, joint venture, or employment relationship between us and you. We, through the Specialists via the Platform, shall furnish the Services as an independent contractor and not as your employee. Neither we nor you shall be liable, except as otherwise expressly stated in this Agreement, for any obligations or liabilities incurred by the other. We have no power or authority to act for, represent, or bind you in any manner, except as otherwise set forth in this Agreement. We also have no supervisory or management authority over your employees and contractors.

Indemnification

We agree to indemnify and hold harmless you from and against any and all liabilities, claims, damages, losses and expenses (including reasonable attorneys’ fees) (“Claims”) incurred by you resulting from an action by a third party (other than your affiliate) which alleges that your use of the Platform in accordance with this Agreement infringes or misappropriates such third party’s intellectual property rights. The foregoing obligation does not apply to the extent that the alleged infringement arises from (i) access to or use of the Platform in a modified form or in combination with any hardware, system, software, network, or other materials or service not provided by us (to the extent that the combination is the cause of the Claims); (ii) any information or data provided by us or any other third party where such is the proximate cause of the Claim; (iii) any Claims related to your infringement of any third party intellectual property; (iv) your violation of applicable law; or (v) where your use of the Platform is not strictly in accordance with this Agreement. If, due to a claim of infringement, the Platform is held by a court of competent jurisdiction to be, or is believed by us to be infringing, we may, at our option and expense: (i) replace or modify the Platform to be non-infringing, provided that such modification or replacement contains substantially similar features and functionality, (ii) obtain for you a license to continue using the Platform, or (iii) if neither of the foregoing is commercially practicable, terminate this Agreement and your rights hereunder and provide you a prorated refund of any prepaid, unused Fees for the Services.

You agree to indemnify and hold harmless us and our officers, directors, employees, representatives and agents, including but not limited to any physician owned entity with which we have a contractual relationship, from and against any and all Claims (i) resulting from or arising out of any breach of any representation and warranty provided herein; (ii) resulting from or arising out of any failure by you to perform or otherwise fulfill any undertaking or other agreement or obligation hereunder; (iii) violation of applicable law; or (iv) your negligence or willful misconduct.

Limitation of Liability

TO THE MAXIMUM EXTENT NOT PROHIBITED BY APPLICABLE LAW, IN NO EVENT WILL WE, OUR SUPPLIERS, OR OUR AGENTS, INCLUDING BUT NOT LIMITED TO ANY PHYSICIAN OWNED ENTITY WITH WHICH WE HAVE A CONTRACTUAL RELATIONSHIP, BE LIABLE FOR ANY LOSS OF USE, LOST OR INACCURATE DATA, INTERRUPTION OF BUSINESS, LOST PROFITS, COSTS OF DELAY, REPUTATIONAL HARM, OR ANY INDIRECT, SPECIAL, INCIDENTAL, COVER, RELIANCE, OR CONSEQUENTIAL DAMAGES OF ANY KIND, HOWEVER CAUSED, EVEN IF INFORMED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL WE, OUR SUPPLIERS, OR OUR AGENT’S TOTAL LIABILITY EXCEED IN AGGREGATE THE AMOUNT ACTUALLY PAID BY YOU TO US FOR THE APPLICABLE SERVICE(S) OR RELATED SERVICE(S) IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. IN ADDITION, THE LAWS IN SOME JURISDICTIONS MAY NOT ALLOW SOME OF THE LIMITATIONS OF LIABILITY IN THIS SECTION. IF ANY OF THESE LAWS IS FOUND TO APPLY TO THIS AGREEMENT, THIS SECTION WILL APPLY TO THE MAXIMUM EXTENT NOT PROHIBITED BY SUCH LAW.

EACH PARTY ACKNOWLEDGES AND AGREES THAT THIS SECTION IS A FUNDAMENTAL BASIS OF THE BARGAIN AND A REASONABLE ALLOCATION OF RISK BETWEEN THE PARTIES AND WILL SURVIVE AND APPLY TO ANY CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT, THE PLATFORM, OR ANY RELATED SERVICES, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE), EVEN IF ANY LIMITED REMEDY IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. EACH PROVISION OF THESE TERMS THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS INTENDED TO AND DOES ALLOCATE THE RISKS BETWEEN THE PARTIES UNDER THESE TERMS. THIS ALLOCATION IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THESE TERMS. THE LIMITATIONS IN THIS SECTION WILL APPLY EVEN IF ANY LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

Severability

If any term or provision of this Agreement or application to any person or circumstance shall to any extent be invalid or unenforceable, the remainder of this Agreement or the application of such term or provision to persons or circumstances other than those as to which it is held invalid or unenforceable shall not be affected and each term and provision of this Agreement shall be valid and enforceable to the fullest extent permitted by law.

Assignment

This Agreement is not assignable, transferable or sublicensable by either party you or us with the other’s prior written consent; provided, however, that either party may assign or transfer this Agreement: (a) to an affiliate where (i) the assignee has agreed in writing to be bound by the terms of this Agreement, and (ii) the assigning party has notified the other party of the assignment, in writing; and (b) in the event of a merger, sale of substantially all of the stock, assets or business, or other reorganization involving the assigning party, and the non-assigning party’s prior written consent shall not be required in such instance with the express understanding that in cases where the assigning party is not the surviving entity, this Agreement will bind the successor in interest to the assigning party with respect to all obligations hereunder. Any other attempt to transfer or assign is void.

Waiver of Breach

The waiver of any breach of any term or condition of this Agreement is not a waiver of any other term or condition of this Agreement.

Notices

All notices pursuant to this Agreement shall be in writing and shall be given by depositing said notices in the United States registered or certified mails, return receipt requested, addressed to the parties hereto at the addresses set forth in the Order Form, or to such other address as may hereafter be specified by any party or parties. All notices given in the manner prescribed in this section shall be deemed properly served upon receipt. Any notices to Company shall be sent at the following address: DentalRay, Inc., 560 S 100 W St. Suite 15, Provo, UT 84601, Attn: Derek Swanson.

Governing Law and Jurisdiction

This Agreement shall be governed by, construed and enforced in accordance with the laws of the State of Utah.

Entire Agreement

This Agreement and the other documents expressly incorporated herein, contains the entire agreement of the parties with respect to its subject matter, and as of the Effective Date, supersedes all previous and contemporaneous agreements and understandings, inducements or conditions, expressed or implied, oral or written, between the parties with respect to the subject matter hereof. The parties agree that any term or condition stated in a Customer purchase order or in any other Customer order documentation (excluding Order Forms) is void. In the event of a conflict or inconsistency among the following documents, the order of precedence shall be: (i) the applicable Order Form, and (ii) this Agreement.

Waiver of Jury Trial

The parties hereto irrevocably and unconditionally waive any right they may have to trial by jury in respect of any litigation directly or indirectly arising out of or relating to this Agreement. In the event of litigation, a copy of this agreement may be filed as a written consent to a trial by the court.

Third-Party Beneficiaries

There are no third-party beneficiaries under this Agreement.

_______

HIPAA BUSINESS ASSOCIATE ADDENDUM

This HIPAA Business Associate Addendum (this “BAA”) shall be incorporated into the applicable DentalRay Teleradiology Consulting Services Agreement between Practice (“Covered Entity” or “Provider”) and DentalRay, Inc., a Utah corporation (“Business Associate”).

RECITALS

WHEREAS, Covered Entity and Business Associate entered into a written agreement (the “Agreement”) pursuant to which Business Associate provides services to Covered Entity, and in conjunction with the provision of such services, certain Protected Health Information (“PHI”) and/or certain electronic Protected Health Information (“ePHI”) may be made available to Business Associate for the purposes of carrying out its obligations under the Agreement; and,

WHEREAS, the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), more specifically the regulations found in Title 45, C.F.R., Parts 160 and 164, Subparts A and E (the “Privacy Rule”) and/or 45 C.F.R. Part 164, Subpart C (the “Security Rule”), as may be amended from time to time, which are applicable to the protection of any disclosure or use of PHI and/or ePHI pursuant to this BAA; and,

WHEREAS, the provisions of Subtitle D entitled “Privacy” of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, and the implementing regulations adopted thereunder, as may be amended from time to time, impose certain requirements on business associates; and

WHEREAS, Provider is a Covered Entity, as defined in the Privacy Rule; and,

WHEREAS, Business Associate, when on behalf of Covered Entity, creates, receives, maintains or transmits PHI and/or ePHI, is a business associate as defined in the Privacy Rule; and,

WHEREAS, the parties intend to enter into this BAA to address the requirements of HIPAA, HITECH, Privacy Rule, and Security Rule as they apply to Business Associate as a business associate of Covered Entity, including the establishment of permitted and required uses and disclosures (and appropriate limitations and conditions on such uses and disclosures) of PHI and/or ePHI by Business Associate that is created or received in the course of performing services on behalf of Covered Entity, and to incorporate the business associate obligations set forth in HITECH; and,

WHEREAS, the parties agree that any disclosure or use of PHI and/or ePHI be in compliance with the Privacy Rule, Security Rule, HITECH, or other applicable law;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

    1. DEFINITIONS. Unless otherwise provided in this BAA, or specifically defined in Paragraph B of this Section 1, the capitalized terms shall have the same meanings as set forth in the Privacy Rule, Security Rule, and/or HITECH, as may be amended from time to time.
  1. A. “Breach,” when used in connection with Unsecured PHI, means, as defined in 45 C.F.R. § 164.402, the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule (45 C.F.R. Part 164, Subpart E), which compromises the security or privacy of the PHI. Except as otherwise excluded under 45 C.F.R. § 164.402, such acquisition, access, use or disclosure is presumed to be a Breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
    1. (1) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
    2. (2) The unauthorized person who used the PHI or to whom the disclosure was made;
    3. (3) Whether the PHI was actually acquired or viewed; and
    4. (4) The extent to which the risk to PHI has been mitigated.
  2. B. “Discovered” means the first day on which such Breach is known to such Covered Entity or Business Associate, respectively, (including any person, other than the individual committing the Breach, that is an employee, officer or other agent of such entity or associate, respectively) or should reasonably have been known to such Covered Entity or Business Associate (or person) to have occurred.
  3. C. “Electronic Protected Health Information” (“ePHI”) means, as defined in 45 C.F.R. § 160.103, PHI transmitted by or maintained in electronic media, and for purposes of this BAA, is limited to the ePHI that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity.
  4. D. “Order Form” means an order form, online order (including click-thru setup of the services) or similar agreement, including any exhibits or attachments thereto, for the provision of Business Associate Services, entered into by the parties, incorporated by reference into, and governed by, the Agreement.
  5. E. “Protected Health Information” (“PHI”) shall generally have the meaning given such term in 45 C.F.R. § 160.103, which includes ePHI, and for purposes of this BAA, is limited to PHI, including ePHI, that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity.
  6. F. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his/her designee.
  7. G. “Subcontractor” means a person to whom a business associate delegates a function, activity, or service other than in the capacity of a member of the workforce of such business associate.
  8. H. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under 42 U.S.C. § 17932(h)(2).
    2. PERMITTED AND REQUIRED USES AND DISCLOSURES. Business Associate may Use or cause Disclosure of PHI for Customer or on Customer’s behalf as specified in the Agreement. Except as otherwise limited in this BAA, Business Associate may Use or cause Disclosure of PHI as necessary for its proper internal management and administration and/or to carry out the legal responsibilities of Business Associate, provided that any such Disclosure will be made only if Business Associate obtains reasonable written assurances from the recipient of PHI that: (a) the PHI will be held confidentially, (b) any Use or Disclosure of the PHI will be solely as required by law or for the purpose for which Disclosure occurred to the recipient, and (c) the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
  1. A. Unless otherwise limited herein, in addition to any other uses and/or disclosures permitted or required by this BAA or required by law, Business Associate may:
    1. (1) Use the PHI and/or ePHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity if authorized by this BAA or pursuant to the written request of Covered Entity.
    2. (2) De-identify any and all PHI and/or ePHI of Covered Entity received by Business Associate under this BAA provided that the De-identification conforms to the requirements of the Privacy Rule and/or Security Rule and does not preclude timely payment and/or claims processing and receipt.
      3. B. Business Associate shall not use or disclose PHI it receives from Covered Entity, nor from another business associate of Covered Entity, except as permitted or required by this BAA, or as required by law.
    3. OBLIGATIONS OF COVERED ENTITY
  1. A. Notification of Restrictions to Use or Disclosure of PHI. Covered Entity agrees that it will make its best efforts to promptly notify Business Associate in writing of any restrictions, limitations, or changes on the use, access and disclosure of PHI and/or ePHI agreed to by Covered Entity in accordance with 42 U.S.C. § 17935(a), that may affect Business Associate’s ability to perform its obligations under this BAA. Covered Entity shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Business Associate to violate this BAA or any applicable law.
  2. B. Proper Use of PHI. Covered Entity shall not request Business Associate to use, access, or disclose PHI and/or ePHI in any manner that would not be permissible under the Privacy Rule, Security Rule, and/or HITECH.
  3. C. Authorizations. Covered Entity will obtain any authorizations necessary for the use, access, or disclosure of PHI and/or ePHI, so that Business Associate can perform its obligations under this BAA.
  4. D. Actions in Response to Business Associate Breach. Covered Entity shall complete the following in the event that Covered Entity has determined that Business Associate has a Breach:
    1. (1) Determine appropriate method of notification to the patient/client(s) regarding a Breach as outlined in 45 C.F.R. § 164.404(d).
    2. (2) Send notification to the patient/client(s) without unreasonable delay but in no case later than sixty (60) days of Discovery of the Breach with at least the minimal required elements as follows:
      1. a) Brief description of what happened, including the date of the Breach and the date of Discovery;
      2. b) Description of the types of Unsecured PHI involved in the Breach (such as name, date of birth, home address, Social Security number, medical insurance, etc.);
      3. c) Steps patient/client(s) should take to protect themselves from potential harm resulting from the Breach;
      4. d) Brief description of what is being done to investigate the Breach, to mitigate harm to patient/client(s) and to protect against any further Breaches; and
      5. e) Contact procedures for patient/client(s) to ask questions or learn additional information, which must include a toll-free telephone number, an E-Mail address, website or postal address.
    3. (3) Determine if notice is required to the Secretary.
    4. (4) If required, submit Breach information to the Secretary within the required timeframe, in accordance with 45 C.F.R. § 164.408(b).
    5. E. Contract Violations by Business Associate. Pursuant to 45 C.F.R. § 164.504(e)(1)(ii), if Covered Entity knows of a pattern of activity or practice of the Business Associate that constitutes a material breach or violation of the Business Associate’s obligations under this BAA, Covered Entity must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, Covered Entity shall terminate the Agreement, if feasible.
    4. OBLIGATIONS OF BUSINESS ASSOCIATE
  1. A. Minimum Necessary. Business Associate shall request, use, access or disclose only the minimum amount of PHI and/or ePHI as permitted or required by this BAA and as necessary to accomplish the intended purpose of the request, use, access or disclosure in accordance with the Privacy Rule (45 C.F.R. § 164.502(b)(1)).
  2. B. Appropriate Safeguards. Business Associate will use reasonable and appropriate safeguards and comply, where applicable, with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI and/or ePHI other than as provided for by this BAA. Business Associate shall implement administrative, physical and technical safeguards in accordance with the Security Rule under 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316.
  3. C. Mitigation. Business Associate shall have procedures in place to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use, access or disclosure of PHI and/or ePHI by Business Associate in violation of this BAA.
  4. D. Access to Records. Business Associate shall make internal practices, books, and records including policies and procedures, relating to the use, access, disclosure, and privacy protection of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity under this BAA, available to the Secretary, for purposes of determining, investigating or auditing Business Associate’s and/or Covered Entity’s compliance with the Privacy and Security Rules and/or HITECH, subject to any applicable legal restrictions.
  5. E. Carrying Out Covered Entity’s Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that applies to Covered Entity in the performance of such obligations.
  6. F. Subcontractors. In accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall require Subcontractors that create, receive, maintain or transmit PHI and/or ePHI on behalf of Business Associate, to agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to the PHI and/or ePHI, including the restrictions, conditions and requirements set forth in this BAA.
  7. G. Reporting of Improper Access, Use or Disclosure Breach. Business Associate will report to Covered Entity: (i) any Use and/or Disclosure of PHI that is not permitted or required by this BAA of which Business Associate becomes aware; (ii) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (iii) any Breach of Customer’s Unsecured PHI that Business Associate may Discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, unsuccessful attempts at unauthorized access, Use, Disclosure, modification, or destruction, including but not limited to pings, denial of service attacks, port scans, broadcast attacks on firewalls, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
    1. (1) Should the Breach of Unsecured PHI involve more than 500 residents of a single State or jurisdiction, Business Associate shall provide to Covered Entity, no later than the Notice Date, the information necessary for Covered Entity to prepare the notice to media outlets as set forth in 45 C.F.R. § 164.406.
    2. (2) Should the Breach of Unsecured PHI involve 500 or more individuals, Business Associate shall provide to Covered Entity, no later than the Notice Date, the information necessary for Covered Entity to prepare the notice to the Secretary as set forth in 45 C.F.R. § 164.408.
    3. (3) Should the Breach of Unsecured PHI involve less than 500 individuals, Business Associate shall maintain a log of such Breaches and provide such log to Covered Entity, for submission to the Secretary, on an annual basis and not later than forty-five (45) days after the end of each calendar year.
    5. ACCESS TO PHI, AMENDMENT AND DISCLOSURE ACCOUNTING. Business Associate agrees to:
  1. A. Provide access, at the request of Covered Entity, within five (5) days, to PHI, including ePHI if maintained electronically, in a Designated Record Set, to Covered Entity, or to an individual or individual’s designee as directed by Covered Entity, as necessary for Covered Entity to satisfy its obligations under 45 C.F.R. § 164.524.
  2. B. Make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to, at the request of Covered Entity or an individual, pursuant to 45 C.F.R. § 164.526, within thirty (30) days of the request of Covered Entity.
  3. C. At the written request of Covered Entity, make available to Covered Entity such information relating to Disclosures made by Business Associate as required for Covered Entity to make any requested accounting of Disclosures in accordance with § 45 C.F.R. 164.528 of which Business Associate is aware, if Covered Entity has reason to request such an accounting.
    6. TERM AND TERMINATION
  1. A. Term. This BAA shall commence upon the Effective Date and terminate the expiration or termination of the Agreement (“Termination Date”) unless sooner terminated in accordance with the terms and conditions of this BAA.
  2. B. Termination for Cause. Covered Entity may terminate this BAA, effective immediately, if Covered Entity, in its sole discretion, determines that Business Associate has breached a material provision of this BAA relating to the privacy and/or security of the PHI. Alternatively, Covered Entity may choose to provide Business Associate with notice of the existence of an alleged material breach and afford Business Associate with an opportunity to cure the alleged material breach. In the event Business Associate fails to cure the breach to the satisfaction of Covered Entity in a timely manner, Covered Entity reserves the right to immediately terminate this BAA.
    1. (1) Effect of Termination. Upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI and/or ePHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, no later than sixty (60) days after the date of termination. Business Associate shall certify such destruction, in writing, to Covered Entity. This provision shall apply to all PHI and/or ePHI which is in possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI and/or ePHI.
    2. (2) Destruction not Feasible. In the event that Business Associate determines that returning or destroying the PHI and/or ePHI is not feasible, Business Associate shall provide written notification to Covered Entity of the conditions which make such return or destruction not feasible. Upon determination by Business Associate that return or destruction of PHI and/or ePHI is not feasible, Business Associate shall extend the protections, limitations, and restrictions of this BAA to such PHI and/or ePHI retained by Business Associate, its subcontractors, employees or agents, and to limit further uses and disclosures of such PHI and/or ePHI to those purposes which make the return or destruction not feasible, for so long as such PHI and/or ePHI is maintained.
    7. GENERAL PROVISIONS
  1. A. Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the Privacy Rule, Security Rule, HITECH, and HIPAA generally.
  2. B. Interpretation. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the Privacy Rule, Security Rule, HITECH, and HIPAA generally.
  3. C. Headings. Paragraph headings contained in this BAA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this BAA.
  4. D. Nondisclosure. The parties acknowledge and agree that the terms of this BAA are not public knowledge and constitute Confidential Information under the Agreement. Provided that this BAA may be disclosed as required by law or as required by regulatory authorities.
  5. E. No Agency Relationship. Nothing in this BAA is intended to make either party an agent of the other, nor to confer upon Covered Entity the right or authority to control Business Associate’s conduct in complying with the Agreement or this BAA.
  6. F. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the parties, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.