This master agreement (the “Master Agreement”) is entered into between Glooko, Inc., a Delaware corporation, located at 303 Bryant Street, Mountain View, California, 94041 (the “Company”) and the Client listed on a duly executed Order Form as defined below (“Client”), as of the date of the final signature on such Order Form (“Effective Date”). The parties agree as follows:
- Order Forms. During the Term of the Agreement, defined below, Company and Client may enter into order forms (each, an “Order Form”) for the purchase of software licenses, hosting services, professional services, and hardware, as applicable (collectively, the “Deliverables”). Each Order Form is expressly subject to and incorporated into this Master Agreement and together they are collectively referred to as the “Agreement”. Company objects to and rejects all additions, exceptions, or changes to the Agreement, whether contained in any purchase order, request for proposal (“RFP”), request for quote (“RFQ”), or other form received from Client or elsewhere. The inclusion of a purchase order, RFP, RFQ, or other Client number on any Order Form or a Company invoice is for reference purposes only and is not an acceptance by Company of any terms or conditions contained therein or elsewhere.
- Fees. Client shall pay Company for the Deliverables it purchases as detailed in each Order Form entered into between the parties. Payment is due thirty (30) days from the date of each invoice. Except as otherwise agreed to in an Order Form, Company reserves the right to increase its fees and rates for the Deliverables upon the completion of the Initial Term and any subsequent Renewal Term. Company shall provide at least sixty (60) days of notice to Client prior to any change to rates or fees for a subsequent Renewal Term and should Client choose to terminate services by provision of written notice to Company, prior to the start of any subsequent Renewal Term effective date. Any undisputed amount past due more than thirty (30) days, shall earn interest on the overdue balance at the rate of one-half percent (1.5%) per month or the maximum permitted by law, whichever is less, plus all expenses of collection.
- Suspension. Non-payment or late payment of undisputed fees is a material breach of this Agreement, and shall entitle Company, in its sole discretion, to (i) withhold performance and discontinue service until all amounts due are paid in full; or (ii) terminate this Agreement with immediate effect by providing Client with written notice. Company reserves the right, in its sole discretion, to withhold performance and discontinue service upon detection of potential illegal use by Client, or for law enforcement actions.
- Taxes. The fees payable under the Agreement shall not include local, state or federal sales, use, value-added, excise or personal property or other similar taxes or duties now in force or enacted in the future imposed on the transaction and/or the delivery of the Deliverables, all of which Client shall be responsible for and pay in full except those taxes based on the net income of Company. If Client claims tax exempt status, certificate of such status should be submitted to Company prior to execution of an Order Form.
- Term and Termination.
- 5.1 Term. The term of this Agreement begins on the Effective Date and lasts until terminated in accordance with this section.
- 5.2 Termination. A party may terminate this Agreement: (i) for cause upon thirty (30) days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period; (ii) for cause if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors; (iii) if there are no active Order Forms in effect, by sending written notice to the other party.
- 5.3 Effect of Termination. Upon termination Company shall discontinue provision of services. Termination will not relieve Client of the obligation to pay any fees due or payable to Company prior to the effective date of termination, including annual fees, implementation fees, training fees, subscription fees, or any other fees or payments that Client has committed to under the Agreement.
- Transition Services. At the request of Client, for up to ninety (90) days after termination of this Agreement, Company agrees to provide Client with support and transition services at its then-current rates. The provisions of this Agreement will remain in effect for the agreed upon transition assistance period and will apply to all transition assistance services provided by Company during such period.
- Client Cooperation. Client acknowledges that its timely provision of appropriate personnel, equipment, assistance, cooperation, and complete and accurate information and data from its officers, agents, and employees, and suitably configured computer products are essential to Company’s performance under this Agreement. Company shall not be liable for any deficiency in its performance if such deficiency results from Client’s failure to provide full cooperation. Client agrees that it is responsible for providing and maintaining its own Internet access and all necessary telecommunications equipment, software and other materials at its own location necessary for its use of the Deliverables. A list of compatible web browsers supported by Company in its provision of the Deliverables are available at https://support.glooko.com, as may be amended and updated by Company from time to time in its sole discretion.
- Security. Company maintains commercially reasonable security measures to prevent unauthorized access to all data, computer hardware and other equipment and/or software used by Company to provide the Deliverables under which Company documents, implements and maintains the physical, administrative, and technical safeguards necessary to: (a) comply with applicable law; and (b) protect the confidentiality, integrity, and availability, of all data and information controlled by it. Company shall maintain written security management policies and procedures to identify, prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability, of all data and information controlled by it. Client shall be solely responsible for the security of Client’s own internal information technology and physical office space operating environments. Client shall immediately notify Company of any other breach of security in its use of the Deliverables or in its own systems and environments.
- Privacy Program. Company has implemented and maintained a privacy program that complies with all applicable laws. Company complies with its privacy notices and policies that relate to the use, collection, transfer, processing, access, protection, storage, or destruction of any type of personal data collected by it. Company’s Privacy Notice is available at https://www.glooko.com/privacy, as may be amended and updated by Company from time to time in its sole discretion.
- Business Continuity and Disaster Recovery Plan. Company shall maintain an adequate business continuity and disaster recovery plan in place that minimizes the impact of disruptions to its critical business processes, provides coordinated responses to potential or actual disruptions, and coordinates restoration activities once a disruption has ended. The business continuity plans shall address critical business processes, products and services that address loss of facilities, people, equipment and third party providers supporting any critical services. Company shall restore the production capability of critical information technology infrastructure (including but not limited to data centers, hardware, software and power systems) and critical voice, data and e-commerce communications links no later than 24 hours after the point of failure (the “Recovery Time Objective”). The maximum amount of data lost after a failure event, defined by the maximum amount of time between such a failure event and a complete database update, shall be no more than six (6) hours (the “Recovery Point Objective”). Company shall assess and update its business continuity plan on an annual basis. Such assessment and update shall consider the nature and extent of the services then being performed by Company in light of current business and technology risk. Plans shall provide for remediation within timeframes reasonably commensurate with the level of risk posed by the deficiency. Upon experiencing a business disruption, Company shall notify Client as soon as is practical following any material disruption in service that implicates its business continuity plan or the declaration of a disaster.
- Modifications. Company may from time to time develop enhancements, updates, improvements, modifications, extensions and other changes to the Deliverables (“Modifications”). Company has the right to implement such Modifications in its sole discretion at any time provided that such Modifications do not have a material adverse effect on the functionality or performance of the Deliverables.
- Functionality. The functionality, operation and scope of all of the Deliverables shall conform to the then current Company-issued documentation respecting each Deliverable.
- Feedback. Client, from time to time, may submit comments, information, questions, data, ideas, description of processes, or other information provided to Company in its use of the Deliverables (“Feedback”). For any and all Feedback, Client grants to Company a non-exclusive, worldwide, perpetual, irrevocable license to use, exploit, reproduce, incorporate, distribute, disclose, and sublicense any Feedback in its products and services. Client represents that it holds all intellectual or proprietary rights necessary to grant to Company such license, and that the Feedback will not violate the personal, proprietary or intellectual property rights of any third party.
- No Practice of Medicine. Client acknowledges and agrees that Company is not engaged in the practice of medicine through the provision of the any of the Deliverables to Client under this Agreement.
- Compliance with Laws. Each party shall comply with all applicable laws and government regulations in its performance under this Agreement.
- Publicity Rights. In the event Client purchases white labeling of the Deliverables or any brand attribution or linking within the Deliverables, Client grants Company a limited, nonexclusive, non-transferrable, royalty free right to display its name, logo and trademarks in such Deliverables during the Term, in the manner expressly agreed to between the parties.
- Insurance. Company shall, at its expense, carry and maintain insurance as detailed below:
- a) Umbrella Liability insurance with limits of not less than $1,000,000 each accident;
- b) Workers Compensation and Employers Liability insurance meeting minimum statutory requirements;
- c) Commercial General Liability insurance with limits of not less as follows:
- (1) $1,000,000 Each Occurrence;
- (2) $2,000,000 General Aggregate;
- d) $1,000,000 Personal & Advertising Injury;
- e) $1,000,000 Damage to Premises Rented;
- f) Medical & Biotechnology Products Liability insurance with limits of not less than $10,000,000 each occurrence and $10,000,000 general aggregate;
- g) Errors & Omissions / Cyber Liability with limits of not less than $10,000,000 each occurrence and $10,000,000 general aggregate; and
- h) Automobile Liability insurance with limits of not less than $1,000,000 each accident.
Company’s insurance shall be underwritten by an insurance company, which holds an A- or better rating from A.M. Best.
- Confidentiality. Except as expressly permitted in this section, neither party will, without the prior written consent of the other party, disclose any Confidential Information of the other party to any third party. Information will be considered Confidential Information of a party if either (i) it is disclosed by a party to the other party in tangible form and is conspicuously marked “Confidential”, “Proprietary” or the like; (ii) it is disclosed by a party to the other party in non-tangible form and is identified as confidential at the time of disclosure; (iii) it is disclosed under circumstances in which a reasonable person would consider the information confidential or proprietary; (iv) its proprietary nature is apparent from the context, contents, or nature of the information disclosed; or (v) it contains the disclosing party’s customer lists, customer information, technical information, pricing information, pricing methodologies, or information regarding the disclosing party’s business planning or business operations. In addition, notwithstanding anything in this Agreement to the contrary, the terms of this Agreement will be deemed Confidential Information of Company. Other than the terms and conditions of this Agreement, information will not be deemed Confidential Information hereunder if such information: (i) is known to the receiving party prior to receipt from the disclosing party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (ii) becomes known (independently of disclosure by the disclosing party) to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; or (iv) is independently developed by the receiving party without the use of the disclosing party’s Confidential Information. Each party will secure and protect the Confidential Information of the other party (including, without limitation, the terms of this Agreement) in a manner consistent with the steps taken to protect its own trade secrets and confidential information, but not less than a reasonable degree of care. Each party may disclose the other party’s Confidential Information where (i) the disclosure is required by applicable law or regulation or by an order of a court or other governmental body having jurisdiction after giving reasonable notice to the other party with adequate time for such other party to seek a protective order; (ii) if in the opinion of counsel for such party, disclosure is advisable under any applicable securities laws regarding public disclosure of business information; or (iii) the disclosure is reasonably necessary and is to that party or its affiliates’, employees, officers, directors, attorneys, accountants and other advisors, or the disclosure is otherwise necessary for a party to exercise its rights and perform its obligations under this Agreement, so long as in all cases the disclosure is no broader than necessary and the person or entity who receives the disclosure agrees prior to receiving the disclosure to keep the information confidential. Each party is responsible for ensuring that any Confidential Information of the other party that the first party discloses pursuant to this Section 8 (other than disclosures pursuant to clauses (i) and (ii) above that cannot be kept confidential by the first party) is kept confidential by the person receiving the disclosure. The parties agree that each party shall remain the exclusive owner of its own respective Confidential Information disclosed hereunder and all patent, copyright, trade secret, trademark and other intellectual property rights therein. Each party shall, upon the request of the other party, return all tangible or intangible manifestations of Confidential Information received pursuant to this Agreement (and all copies and reproductions thereof), provided the other party may retain one copy in a secure location for the purpose of evidencing compliance with this Agreement.
- Indemnity. Client shall defend, indemnify and hold harmless Company, its subsidiaries, affiliates, officers, directors, agents, employees and assigns, from and against any and all claims, suits, proceedings, losses, damages, liabilities, costs and expenses (including, without limitation, reasonable attorneys’ fees) (collectively, “Losses”) suffered or incurred by them in connection with a third party claim arising out of: (i) Client’s breach of this Agreement; (ii) Client’s use of the Deliverables; or (iii) Client’s failure to comply with laws, rules, regulations or professional standards. Company shall defend, indemnify and hold harmless Client, its subsidiaries, affiliates, officers, directors, agents, employees and assigns, from and against any and all Losses suffered or incurred by them in connection with a third party claim arising out of: (i) breach of the Agreement, (ii) its gross negligence or willful misconduct; (iii) Company’s breach of or failure to comply with laws, rules, regulations or professional standards.
- Mechanics of Indemnity. The indemnifying party’s obligations are conditioned upon the indemnified party: (i) giving the indemnifying party prompt written notice of any claim, action, suit or proceeding for which the indemnified party is seeking indemnity; (ii) granting control of the defense and settlement to the indemnifying party; and (iii) reasonably cooperating with the indemnifying party at the indemnifying party’s expense.
- LIMITATION OF LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT, COMPANY AND ITS SHAREHOLDERS, AFFILIATES, DIRECTORS, MANAGERS, EMPLOYEES OR OTHER REPRESENTATIVES SHALL NOT BE LIABLE TO CLIENT, AUTHORIZED USERS OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES (INCLUDING ATTORNEYS’ FEES OR LOST PROFITS) THAT RESULT FROM OR ARE RELATED TO THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, DELAY OR INTERRUPTION IN OPERATION OR TRANSMISSION COMMUNICATION FAILURE, LOSS OF CONNECTIVITY, NETWORK OR SYSTEM OUTAGE INTERRUPTION, UNAVAILABILITY OF OR OPERATION IN COMBINATION WITH A THIRD PARTY NETWORK OR SYSTEM AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE, EVEN IF COMPANY HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY EVENT, COMPANY’S AGGREGATE LIABILITY TO CLIENT FOR DAMAGES, COSTS, AND EXPENSES SHALL NOT EXCEED THE AMOUNTS RECEIVED BY COMPANY FROM CLIENT IN THE TWELVE MONTHS PRECEDING THE EVENT GIVING RISE TO SUCH DAMAGES.The provisions of this Section allocate the risks under this Agreement between Company and Client. The parties agree that the limitations of liability set forth in this Section shall survive and continue in full force and effect despite any failure of consideration or of an exclusive remedy. The parties acknowledge that the fees have been set and the Agreement entered into in reliance upon these limitations of liability and that all such limitations form an essential basis of the bargain between the parties.
- Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes.
- Waiver. The waiver by either party of a breach of any provision of this Agreement will not operate or be interpreted as a waiver of any other or subsequent breach.
- Severability. If any provision of this Agreement is held to be invalid or unenforceable for any reason, it shall be deemed omitted and the remaining provisions will continue in full force without being impaired or invalidated in any way. The Parties agree to replace any invalid provision with a valid provision that most closely approximates the intent and economic effect of the invalid provision.
- Notices. All notices, approvals or waivers required to be given under the terms of this Agreement (other than routine operational communications), shall be in writing, and if to Client shall be sent to the Client’s address that appears on an applicable Order Form, and if sent to Company, shall be sent to: Glooko, Inc., 303 Bryant St., Mountain View, CA 94043, Attn: Legal Department. All notices, approvals or waivers shall be sent via one of the following methods, and shall be deemed to have been received: (i) on the day given delivered by hand (securing a receipt evidencing such delivery); or (ii) on the second day after such notice is sent by a nationally recognized overnight or two (2) day air courier service, full delivery cost paid; or (iii) on the fifth day after such notice was mailed, registered mail, prepaid, return receipt requested.
- Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to the choice of law provisions thereof. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement. Any contract dispute or claim arising out of, or in connection with, this Agreement shall be finally settled by binding arbitration in Santa Clara, California, in accordance with the then current Uniform Arbitration Act rules originally created by the National Conference of Commissioners on Uniform State Laws in 1955 (the “Uniform Arbitration Act”) and the then current rules and procedures of the American Arbitration Association by one (1) arbitrator appointed by the American Arbitration Association. The arbitrator shall apply the law of the State of California, without reference to rules of conflict of law or statutory rules of arbitration, to the merits of any dispute or claim. Judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. The parties agree that, any provision of applicable law notwithstanding, they will not request, and the arbitrator shall have no authority to award punitive or exemplary damages against any party. In the event that any arbitration, action or proceeding is brought in connection with this Agreement, the prevailing party shall be entitled to recover its costs and reasonable attorneys’ fees. Notwithstanding the foregoing, nothing herein shall preclude either party from seeking injunctive relief in any state or federal court of competent jurisdiction without first complying with the arbitration provisions of this Section.
- Survival. Company and Client’s respective obligations hereunder which by their nature would continue beyond the termination or expiration of this Agreement shall survive.
- Assignment. This Agreement shall be binding upon the parties’ respective successors and permitted assigns. Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other party, except that Company may assign its rights and obligations without consent to a successor or a party which has purchased all or substantially all of its relevant assets or business.
- Force Majeure. Neither party will be liable to the other for failure to meet its obligations under this Agreement where such failure is caused by events beyond its reasonable control such as fire, failure of communications networks, riots, civil disturbances, embargos, storms, acts of terrorism, pestilence, war, floods, tsunamis, earthquakes or other acts of God.
- Entire Agreement. This Agreement, including all additional policies and documentation appearing herein via website hyperlinks, and any subsequent document duly executed by both parties which terms is expressly incorporated by reference into this Agreement, constitutes the entire agreement between the parties. This Agreement supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, and there are no warranties, representations and/or agreements among the parties in conjunction with the subject matter hereof except as set forth in this Agreement.
HARDWARE TERMS AND CONDITIONS
- Risk of Loss. The Hardware is purchased by the Client. The risk of loss for the Hardware passes to Client upon Company’s delivery of the Hardware to the third party carrier for shipment to Client. Fees for shipping and handling, and any insurance for the Hardware while in transit to Client, are the express responsibility of Client.
- Use of Hardware. The use of the Hardware is subject to the availability and the operational limitations of the requisite equipment and associated facilities. For Hardware that is dependent upon cellular reception such Hardware may not work or may work partially in certain areas where reception is low.
- Limited Warranty. Company warrants to Client that from the date of purchase the Hardware shall be free from defects in material and workmanship for twelve (12) months. Company’s sole and exclusive liability, and Client’s sole and exclusive remedy under this limited warranty, shall be repair and/or replacement of the Hardware, as determined by Company in its sole discretion. Company shall be responsible for all shipping costs incurred in connection with returns or replacements under this section. This limited warranty is personal to the Client. Any sale, rental or other transfer or use of products covered by this warranty to or by a person other than the original user shall cause this limited warranty to immediately terminate. This limited warranty is conditioned on Client: (i) promptly notifying Company of the defect; and (ii) complying with any Company instructions or requests regarding Company’s repair or replacement of the Company Hardware, when applicable. This limited warranty does not cover:
- (i) Use of the Hardware outside of or in contradiction to the instructions provided by Company;
- (ii) Defects or damage from improper installation, operation, testing, maintenance, adjustment, or service, repair or modification by Client or a third party;
- (iii) Acts of God, accident, negligent use or misuse, abuse, cosmetic damage resulting from normal use, or any other cause other than ordinary use;
- (iv) Improper storage or operating environment, excessive or inadequate heating or air conditioning, electrical power failures, surges, electrical or electromechanical stress, water damage or other irregularities;
- (v) The use of the Hardware in conjunction with accessories, ancillary products, and peripheral equipment or unauthorized third party software or software drivers;
- (vi) Hardware which has been taken apart physically or which has had any of its software accessed in an unauthorized manner.
- DISCLAIMER OF WARRANTIES. EXCEPT AS SET FORTH IN SECTION 3 ABOVE, COMPANY MAKES NO OTHER WARRANTIES REGARDING THE HARDWARE, AND COMPANY HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, WITH RESPECT TO THE HARDWARE, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, COMPATIBILITY OR SECURITY. COMPANY DOES NOT WARRANT THAT ACCESS TO OR USE OF THE HARDWARE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT ALL DEFECTS AND ERRORS IN THE HARDWARE WILL BE CORRECTED, OR THAT THE HARDWARE WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. COMPANY DOES NOT PROVIDE ANY WARRANTIES REGARDING THE ACCURACY OF DATA OR INFORMATION PROVIDED BY THIRD PARTIES. THE HARDWARE IS NOT DESIGNED, MANUFACTURED, DELIVERED OR INTENDED FOR ANY USE WHERE FAILURE COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE. CLIENT ASSUMES RESPONSIBILITY FOR THEIR SELECTION TO ACHIEVE ITS INTENDED RESULTS, AND FOR THEIR INSTALLATION, USE, AND RESULTS OBTAINED THEREFROM.
SOFTWARE TERMS AND CONDITIONS
- License Grant. Company hereby grants to Client a non-transferable, non-exclusive, revocable, limited, right and license during the Term of the Agreement, to allow its Authorized Users (as defined below) to access and use, over public and private networks, the Company provided software modules purchased by Client (the “Software”) in an applicable Order Form, strictly for the internal business purposes of its medical practice. Company owns and retains all right, title and interest in and to the Software. The Software is provided to Client for use only as expressly set forth in this Agreement, and Client will not use the Software in whole or in part for any other use or purpose whatsoever.
- Permitted Medical Use. Client agrees that only appropriately licensed medical professionals that participate in Client’s medical practice (each, a “Physician”) shall assess, diagnose, and recommend treatment for each person seeking health care and who has a patient-physician relationship with a Physician in accordance with the applicable requirements of state law and licensure boards (each, a “Patient”). Client shall take all actions required to ensure that its use of the Software is in compliance with all applicable laws, rules, regulations and professional standards. Neither party shall interfere with, control, or otherwise influence the physician-patient relationship established between a Physician and a Patient. COMPANY SHALL HAVE NO OBLIGATION, RESPONSIBILITY OR LIABILITY FOR ANY PHYSICIAN’S PROVISION OF PROFESSIONAL SERVICES.
- Authorized Users. Client shall permit authorized users for whom it has purchased access for in an Order Form to access and use the features and functions of the Software it has purchased in this Agreement (each, an “Authorized User”). Authorized User’s may be any of Client’s employed Physicians, Patient, or any provider of medical or health services, including, but not limited to a diabetes educator, a physician assistant, nurse, physical therapist, psychotherapist, or any third party contractor employed, paid or retained by Client whom it permits to access and use the Software on its behalf. Client shall be solely responsible for verifying the identity and authenticity of all if its Authorized Users. For any of Client’s third-party Authorized Users, it shall ensure that such third parties are expressly bound by written agreement no less protective of Company than the terms herein before permitting such third parties to access and use the Software. Client shall take all reasonable precautions to ensure that the Software is utilized by its Authorized Users in a manner consistent with applicable ethical and legal requirements. Each Authorized User shall create a unique user identification and login credential for it to access and use the Software (the “User ID”). User IDs shall not be shared or used by more than one Authorized User at a time. Client is solely responsible for ensuring its Authorized Users maintain the confidentiality of log-in accounts and passwords, and credentials. Company shall not be liable for any activities undertaken by anyone using any Authorized User’s log-in accounts, passwords or credentials. Client shall immediately notify Company of any unauthorized use of the log-in accounts, passwords or credentials known to Client.
- Patient Use. Patients can subscribe to use the Software directly and upload certain data from devices used to monitor and manage their diabetes that are compatible with the Software (“Approved Devices”). In their use of the Software, the Patient has control of their personally identifiable information, personal data, and personal health information that they upload into the Software, including information from any Approved Device used to monitor glucose levels or any other device or data source (the “Patient Data”). Patient shall have the ability to control which third parties they give their Patient Data access to.
- Restrictions. Client shall not, and shall not permit or enable any third party to:
- (i) copy, modify, decompile, disable, impair, destroy, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques or algorithms of the Software by any means, or disclose any of the foregoing;
- (ii) except as expressly set forth in this Agreement, provide, host, rent, lease, lend, or use the Software for timesharing, subscription, or similar purposes;
- (iii) sublicense, resell, transfer or assign the Software or any of the rights or licenses granted under this Agreement;
- (iv) use any data mining or similar data gathering and extraction methods in connection with the Software;
- (v) use the Application Services for storage, possession, or transmission of any information, the possession, creation or transmission of which violates any state, local or federal law, including without limitation, those laws regarding stolen materials, obscene materials or child pornography;
- (vi) upload or share any content that is unlawful, harmful, threatening, abusive, tortious, defamatory, libelous, vulgar, lewd, profane, invasive of another’s privacy, or hateful;
- (vii) upload, transmit, store, or make available any content or code that contains any viruses, malicious code, malware, or any components designed to harm or limit the functionality of the Software;
- (viii) transmit content over the Software that infringes upon or misappropriates the Intellectual Property Rights or privacy rights of any third party (“Intellectual Property Rights” means copyright, moral rights, trademark, trade dress, patent, trade secret, unfair competition, right of privacy, right of publicity, and any other proprietary rights);
- (ix) enable or allow others to use the Services or Software using its account information;
- (x) access or attempt to access the Services or Software by any means other than the interface Company provides or authorizes; or
- (xi) circumvent any access or use restrictions put into place to prevent certain uses of the Software.
- Not for Emergency Use. Client understands the Software is intended to assist it in streamlining its operations of a medical practice and that the Software is not designed for use in any medical emergencies. Client shall inform its Patients that the Service is not designed for emergency use.
- No Patient Referrals. Nothing in this Agreement shall be construed as an offer for payment by one party to the other party or any affiliate of the other party of any cash or other remuneration, whether directly or indirectly, overtly or covertly, for any Patient referrals or for recommending or for arranging, purchasing, leasing or ordering any item or service.
- Restrictions on Sharing Data. Client shall not: (i) publicly share or publish reports or analysis that includes Patient Data or any non-public data respecting the Approved Devices (or any set of metadata contained therein); (ii) commercialize any product offerings utilizing the Patient Data or any non-public data respecting the Approved Devices (or any data contained therein); or (iii) sublicense or share the Patient Data or any non-public data respecting the Approved Devices (or any data contained therein) with any other individual or entity whatsoever.
- Third Party Links. Company may place links, icons or displays within the Software. The inclusion of a link does not imply endorsement of the linked site by Company. Company does not take responsibility for the content or information contained on those other sites, and does not exert any editorial or other control over those other sites. Company does not take responsibility for the privacy policies and practices of these third-party links. Company disclaims any warranty or liability for damage or loss resulting from Client’s use of any non-Company content or resources, including any external hyperlinks, advertisements, promotions, referrals, websites, or any other external resources which are found on or made available through the Software. Company disclaims any warranties or liability for the quality, accuracy, currency, reliability, availability, or legality of such non-Company content.
- IP Infringement Indemnity. Company shall defend, indemnify and hold harmless Client, its subsidiaries, affiliates, officers, directors, agents, employees and assigns, from and against any and all Losses suffered or incurred by them in connection with a third party claim arising out of any actual or threatened claim that the Application Services infringes upon or misappropriates any copyright, patent, trademark, trade secret, or other proprietary or other rights of any third party. Company shall have no obligation to indemnify Client to the extent the alleged infringement arises out of (i) the use of the Application Services in combination with other data products, processes or materials not provided by Company and such infringement would not have occurred but for Client’s combination; or (ii) any Client content. Should the Application Services as used by Client become, or in Company’s opinion be likely to become, the subject of an infringement claim, Company shall at its option and sole expense either: (i) procure for Client the right to continue to use the Software as contemplated hereunder, or (ii) modify the Software to eliminate any such claim that might result from its use hereunder or (iii) replace the Software with an equally suitable, compatible and functionally equivalent non-infringing Software at no additional charge to Client. If none of these options is reasonably available to Company, then this Agreement may be terminated at the option of either party hereto without further obligation or liability on the part of either party hereto except that Company agrees to promptly refund to Client the pro-rata portion of any unused fees prepaid by Client.
- Limitation. Company assumes no liability, and shall have no liability, for any infringement claim based on (i) Client’s access to and/or use of the Software following notice of an Infringement Claim; (ii) any modification of the Software by Client or at its direction; (iii) Client’s combination of the Software with third party programs, services, data, hardware, or other materials; or (iv) any trademark or copyright infringement involving any marking or branding not applied by Company or involving any marking or branding applied at Client’s request.
- Open Source Software. Certain items of Software may be provided to Client subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of this Agreement. Instead, each item of Open Source Software is licensed under the terms of the end-user license that accompanies such Open Source Software. Nothing in this Agreement limits Client’s rights under, or grants Client rights that supersede, the terms and conditions of any applicable end user license for the Open Source Software. If required by any license for particular Open Source Software, Company makes such Open Source Software, and Company’s modifications to that Open Source Software, available by written request at the notice address specified on the Order Form.
- License to Analytical Data. Client agrees that Company will have the right to collect and use anonymized and aggregated data and related information, including, but not limited to, information about devices, systems, related software, services, or peripherals generated by and associated with Client’s use of the Software (“Analytical Data”). Analytical Data may be used for purposes of facilitating the provision of product development, improvement, software updates, license authentication, support, reporting, analytics and other business purposes
- WARRANTY. COMPANY WARRANTS THAT THE SOFTWARE WILL MATERIALLY CONFORM TO ITS THEN CURRENT FUNCTIONALITY DESCRIPTIONS.
- DISCLAIMER OF WARRANTIES. EXCEPT AS SET FORTH IN SECTION 14 ABOVE, COMPANY MAKES NO WARRANTIES REGARDING THE SOFTWARE, AND COMPANY HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, STATUTORY OR OTHERWISE WITH RESPECT TO THE SERVICES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, COMPATIBILITY, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE, AND ANY CONDITIONS OF QUALITY, AVAILABILITY, RELIABILITY, BUGS OR ERRORS. COMPANY DOES NOT WARRANT THAT ACCESS TO OR USE OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT ALL DEFECTS AND ERRORS IN THE SOFTWARE WILL BE CORRECTED, OR THAT THE SOFTWARE WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. COMPANY DOES NOT PROVIDE ANY WARRANTIES REGARDING THE ACCURACY OF DATA OR INFORMATION PROVIDED BY THIRD PARTIES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES AND CONDITIONS, THEREFORE SOME OF THE ABOVE EXCLUSIONS MAY NOT APPLY IF CLIENT IS LOCATED IN SUCH A JURISDICTION.
PROFESSIONAL SERVICES TERMS AND CONDITIONS
- Professional Services. In addition to the regular support services Client receives as a part of its Software purchase, Client may purchase additional training, consulting, data migration, conversion, integration, implementation or other services from Company to support its use of the Software (collectively, “Professional Services”), as specified in a subsequent statement of work agreement and agreed to by both parties. All Professional Services will be performed by individuals with levels of knowledge, skill and experience commensurate with the requirements of this Agreement, and will be performed in a timely, professional and workmanlike manner in accordance with generally accepted industry practices and standards.
SUPPORT SERVICES TERMS AND CONDITIONS
- Support Services. In support of its use of the Software purchased by it, Client shall receive technical support for product related questions in accordance with Company’s then-current technical support policies. Company’s support information is available at https://support.glooko.com/hc/en-us, as may be amended and updated by Company from time to time in its sole discretion. It is recommended that Authorized Users complete any purchased training prior to their use of the Software. Upon Client’s request, Company may provide additional technical support at Company’s then-current hourly rates, subject to the execution of an additional Order Form. Company shall not be responsible for general support relating to Client’s use of software or hardware provided by any entity other than Company or its affiliates. Such exclusions shall include operating systems, PC hardware, office applications, web browsers, EMR software, Client-specific authentication mechanisms, Client’s network, or any other hardware or software that Company does not control.
- Support Availability. Company provides technical support to Client’s Authorized Users having trouble with their account via email, phone, and SMS text message (the “Support” services). Many self-service resources are also available at https://support.glooko.com. Company encourages all of Client’s Authorized Users to first visit this link when having any trouble using the Software.
- Support Hours. Support is available from Monday to Friday, 8 am – 8 pm, Eastern Time (USA). Support is unavailable during the weekend, during public bank holidays in the respective territories, and during all holidays observed by Company.
- Support Duration. Company provides Support for the duration of the Term of the Agreement.
- Support System. Company manages Support requests in its support ticket system.
- Support Issue Classification, Escalation and Response Times: All Support issues are initially considered Priority 3 and then escalated as needed under the Issue Priority Definitions detailed below. Company’s response times for Support issues reported by Client are summarized below. When an issue is escalated, depending the nature and character of the issue being reported, it is sent to the internal personnel dedicated to addressing the issue based on its nature and character. Notwithstanding the foregoing, should an incident involve a potential data breach or breach of Company’s data security obligations, such issues are immediately escalated to Priority 0.
- Support Issue Classifications
- Priority 0 – Code Red
- Complete system outage, or outage in major system components which impacts ability to upload, view or share data either remotely or in clinic.
- A security issue exists resulting in release (or threat to release) of Glooko users’ Personal Health Information (PHI) / Personally Identifiable Information (PII) to a public forum.
- Mobile application is crashing repeatedly for 20 or more reporting users such that this set of users cannot use the application.
- Priority 1 – Critical
- Supported diabetes device data is being incorrectly received, parsed, interpreted or displayed from one or more devices.
- A data integrity or availability issue is affecting the ability to view or update data for many to most users and customers.
- Security vulnerability has been detected; possible or detected exposure of patient information.
- API platform is down.
- Priority 2 – Major
- A data availability issue is affecting the ability to view or access one or more categories of data for one customer.
- Identification of an opportunity to prevent exploitation of a security vulnerability.
- Mobile applications are crashing repeatedly for less than 20 reporting users such that this set of users cannot use the application.
- Part of the mobile application is not responding or not working.
- Significant system performance is degraded.
- Priority 3 – Minor
- Minor, cosmetic issue.
- Software issue that affects features but does not prevent normal operations.
- Identification of an opportunity to improve data integrity or security that is not immediately time-critical.
- Any other bug not classified as Code Red, Critical, or Major.
- Priority 0 – Code Red
- Targeted Issue Response Times
- Client Obligations In order for Company to be able to resolve issues reported by Client in the response times appearing above, Client itself must undertake the below listed actions when reporting the issue to Company:
- Validate and attempt to recreate the issue before reporting to Company;
- Report the problem to Company within 1 day of it happening;
- Provide any additional analysis requested by Company and reasonably cooperate with Company to identify, evaluate and resolve the issue.
- Exclusions Company will have no liability or any failure to meet the Targeted Issue Response Times for issues arising from: (a) use of the Software by Client other than as authorized under the Agreement or documentation; (b) problems caused by client’s own data; (c) problems caused by Client or its Authorized User’s equipment; (d) problems caused by third party acts, or services and/or systems not provided by Company; or (e) general telecommunications problems or problems caused by other factors outside of Company’s reasonable control.
SOFTWARE UPTIME
Availability. Company will make the Software Available continuously, as measured on a 24×7 basis an average of 99.9% of the time (the “Software Uptime”), excluding unavailability caused by Exceptions (as defined below). “Available” means the Software is available for access and use by Client in accordance with their full intended functionality according to its then-current documentation. For purposes of calculating Availability percentage, the following “Exceptions” described below to the Software Uptime shall not be considered time for which the Software is unavailable.
Exceptions.The below listed are all permitted Exceptions to the Software Uptime:
“Emergency Maintenance Period” means the period of time elapsed during any maintenance performed on the Software, which maintenance is required as a result of conditions beyond Company’s reasonable control. Company will provide Client with at least thirty (30) minutes advance notice for emergency maintenance, when possible. Emergency maintenance may occur at any time, as Company deems necessary in its sole discretion.
“Scheduled Maintenance Period” means the period of time elapsed during any scheduled maintenance performed by Company on the Software. Company will provide Client with notice for scheduled maintenance which will affect access to their service. Company will use commercially reasonable efforts to schedule maintenance during hours other than during regular business hours.
“Permitted Downtime” means the following:
- Inoperability due to any scheduled or emergency maintenance (occurring during the Scheduled Maintenance Periods or Emergency Maintenance Periods);
- Problems caused by telecommunications and/or Internet services;Problems caused by software or hardware not provided or controlled by Company (such as the Amazon Web Hosting server environment where the Company software is stored and accessed, or a device manufacturer changing their specifications);
- Problems due to Force Majeure events, as provided in the Agreement, and acts of war or nature; Problems due to acts or omissions of Client, its agents, employees or contractors;
- Problems due to defects in data provided by Client that Company could not have discovered through the exercise of reasonable diligence prior to the failure;
- Problems due to Client’s failure to implement changes in equipment or software reasonably recommended by Company in writing as essential to maintaining service levels following a Client directed change in the operating environment;
- Inoperability due to a Client driven increase in demand for system resources that has not allowed Company a reasonable time to accommodate;Inoperability due to exceeding the maximum number of concurrent users specified within the Agreement or Sales Order, as applicable; and
- Problems due to operation under a disaster recovery plan.
Exhibit A
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Business Associate Agreement”) is entered into between Glooko, Inc., a Delaware corporation, located at 303 Bryant Street, Mountain View, California, 94041 (the “Business Associate”), and the Client listed on the Master Agreement entered into between the Parties (the “Covered Entity”). This Business Associate Agreement is effective as of the Effective Date of the Master Agreement.
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and
WHEREAS, the American Recovery and Reinvestment Act (“ARRA“) of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, the Parties are entering into an agreement (“Master Agreement”) whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such Master Agreement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy; and
WHEREAS, Business Associate may have access to Protected Health Information (“PHI”) as defined below, in fulfilling its responsibilities under such arrangement; and Business Associate and Covered Entity (each a “Party” and collectively the “Parties”) agree to the terms and conditions of this Business Associate Agreement.
Article 1. Definitions.
Terms used but not otherwise defined in this Business Associate Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Information Portability and Accountability Act of 1996, codified as 42 U.S.C. §1320d (“HIPAA”), the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. § 17901 (the “HITECH” Act), and any current and future regulations promulgated under HIPAA or HITECH.
- 1.1 “Breach” shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E (the “HIPAA Privacy Regulations”) which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:
- (a) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Regulations; or
- (b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Regulations; or
- (c) A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
- 1.2 “Designated Record Set” means a group of records maintained by or for a Covered Entity that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Covered Entity to make decisions about Individuals.
- 1.3 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Regulations.
- 1.4 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
- 1.5 “HIPAA Privacy Regulations” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
- 1.6 “HIPAA Security Regulations” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and subparts A and C of part 164.
- 1.7 “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the HITECH Act and any regulations promulgated thereafter.
- 1.8 “Individually Identifiable Information” means information that is a subset of health information, including demographic information collected from an individual, and:
- (a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
- (b) relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- 1.9 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. §160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Covered Entity including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined above. PHI does not include any data received by the business associate directly from a patient where the patient consents to sharing their data. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Business Associate Agreement.
- 1.10 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
- 1.11 “Unsecured Protected Health Information” shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in section 13402(h) of the HITECH Act.
Article 2. Obligations of Business Associate
- 2.1 Subcontractors. Business Associate agrees to require any subcontractor to whom it provides Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity, to agree to the same restrictions and conditions that apply throughout this Business Associate Agreement to Business Associate with respect to such information. Subcontractors shall receive appropriate training and agree to implement reasonable and appropriate safeguards to protect any of such information which is PHI or Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this Business Associate Agreement.
- 2.2 Safeguards. Business Associate agrees to use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
- 2.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Association in violation of this Business Associate Agreement.
- 2.4 Compliance. Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.
- 2.5 Notice of Use or Disclosure, Security Incident or Breach.
- (a) Business Associate agrees to notify the designed Privacy Officer of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. §164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of breach. Business Associate shall provide the following information in such notice to Covered Entity:
- (i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;
- (ii) a description of the nature of the Breach including the types of unsecured PHI that were involved, the date of the Breach and the date of discovery;
- (iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);
- (iv) the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;
- (v) a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and
- (vi) any other details necessary for Covered Entity to assess risk of harm to Individual(s), including identification of each Individual whose unsecured PHI has been Breached and steps such Individuals should take to protect themselves.
- (b) Covered Entity will be responsible for providing notification to Individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HITECH Act. In the event that a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity’s breach analysis procedures, including risk assessment and determination of the extent of access of such unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then current rates.
- (c) Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
- (d) The Parties agree that this section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Business Associate Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.
- (a) Business Associate agrees to notify the designed Privacy Officer of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. §164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of breach. Business Associate shall provide the following information in such notice to Covered Entity:
- 2.7 Access. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably requested by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual. Business Associate may charge Covered Entity or Individual for the actual labor cost involved in providing such access. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.
- 2.8 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees, upon request of Covered Entity or an Individual.
- 2.9 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity or the Secretary in a time and manner designated by the Covered Entity or Secretary, for the purposes of the Secretary in determining the Parties compliance with HIPAA, the HITECH Act, the American Recovery and Reinvestment Act, and corresponding regulations.
- 2.10 Accounting and Audit. Business Associate agrees to provide to Covered Entity an accounting of PHI disclosures made by Business Associate, including disclosures made for treatment, payment and health care operations. The accounting shall be made within a reasonable amount of time upon receipt of a request from Covered Entity. The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Security and Privacy Rule.
- 2.11 Security of Electronic Protected Health Information. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity; (2) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (3) report to the Covered Entity any security incidents of which it becomes aware.
- 2.12 Minimum Necessary. Business Associate agrees to limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. §164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
- 2.13 Permitted Uses and Disclosures. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate HIPAA, ARRA, or the HITECH Act if done by the Covered Entity. Notwithstanding the prohibitions set forth in this Business Associate Agreement, Business Associate may use and disclose Protected Health Information as follows:
- (a) if necessary, for the proper management and administration of Business Associate services or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, (i) the disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or
- (b) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship, or as mutually agreed in writing by both Parties. For purposes of this Business Associate Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
- (c) Business Associate may de-identify and aggregate any and all Protected Health Information created or received by Business Associate under the Master Agreement; provided, however, that such de-identification conforms to the requirements under HIPAA. Anonymized and aggregated data is data that has been de-identified into a form that does not identify Client, its Authorized Users, or Patients, or other individually identifiable data subjects, and that meets de-identification criteria as specified in applicable regulations such as the Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 164.514(a)-(c)), EU General Data Privacy Regulation (GDPR), and the California Consumer Privacy Act (CCPA). Such resulting de-identified information shall not be subject to the terms of this Business Associate Agreement.
- 2.14 Limited Use or Disclosure of PHI. Business Associate agrees to not use or further disclose PHI other than as permitted or required by the Master Agreement or as required by law. Business Associate may (1) use and disclose PHI to perform the services agreed to by the Parties; (2) use or disclose PHI for the proper management and administration of Business Associate or in accordance with its legal responsibilities; (3) use PHI to provide data aggregation services relating to health care operations of Covered Entity; (4) use or disclose PHI to report violations of the law to law enforcement; or (5) use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. §164.514. Business Associate will not sell PHI or use or disclose PHI for marketing or fundraising purposes as set forth in the HITECH Act
Article 3. Obligations of Covered Entity
- 3.1 Notice of Privacy Practices of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
- 3.2 Restrictions in Use of PHI. Covered Entity shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- 3.3 Changes in the Use of PHI. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate’s use or disclosure of PHI.
- 3.4 Appropriate Requests. Except as otherwise provided in this Business Associate Agreement, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would violate the HIPAA Privacy Regulations, ARRA, or the HITECH Act if done by Covered Entity.
- 3.5 Consents. Obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Covered Entity.
Article 4. Term and Termination
- 4.1 Term. The Term of this Business Associate Agreement shall be effective as of the date listed above and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.
- 4.2 Termination for Cause. Upon either Party’s determination that the other Party has committed a violation or material breach of this Business Associate Agreement, the non-breaching Party may take one of the following steps:
- (a) Provide an opportunity for the breaching Party to cure the breach or end the violation, and if the breaching Party does not cure the breach or end the violation within a reasonable time, terminate this Business Associate Agreement;
- (b) Immediately terminate this Business Associate Agreement if the other Party has committed a material breach of this Business Associate Agreement and cure of the material breach is not possible; or
- (c) If neither cure nor termination is feasible, elect to continue this Business Associate Agreement and report the violation or material breach to the Secretary in accordance with the requirements set forth in the HITECH Act.
- 4.3 Disposition of PHI Upon Termination or Upon Request.
- (a) Upon termination of this Business Associate Agreement, for any reason, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate shall return or destroy all Protected Health Information created or received by Business Associated on behalf of Covered Entity which Business Associated still maintains in any form and retain no copies of such information. This provision shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate.
- (b) It may not be feasible for Business Associate to return or destroy all copies of customer data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this Business Associate Agreement to the information and limit further uses and disclosures solely to those purposes as originally intended under this Business Associate Agreement that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
Article 5. Miscellaneous
- 5.1 Limitation of Liability. Business Associate’s aggregate liability for claims under this Business Associate Agreement shall not exceed the amounts paid by Covered Entity to Business Associate under the Agreement in the twelve (12) months preceding the first claim made under this Business Associate Agreement.
- 5.2 No Third Parties; Survival. Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Business Associate Agreement do not intend to create any rights in any third parties. The respective rights and obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Business Associate Agreement, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
- 5.3 Amendment. The Parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, ARRA, or the HITECH Act and any applicable regulations in regard to such laws.
- 5.4 Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA, ARRA, or the HITECH Act or any applicable regulations in regard to such laws.
- 5.5 Prior Agreement. This Business Associate Agreement shall replace and supersede any prior Business Associate Agreement between the Parties.
- 5.6 Ambiguity. Any ambiguity of this Business Associate Agreement shall be resolved to permit the Parties to comply with the HITECH Act, HIPAA, ARRA, and the Privacy and Security Rules and other implementing regulations and guidance.
- 5.7 Minimum Requirements. The provisions of this Business Associate Agreement are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information.
- 5.8 Notices. Except as otherwise specified herein, all notices, demands or communications required under this Business Associate Agreement shall be in writing and delivered personally, or sent either by U.S. certified mail, postage prepaid return receipt requested, or by overnight delivery air courier (e.g., Federal Express) to the parties at their respective addresses as set forth in a duly executed Order Form which references the Master Agreement. All such notices, requests, demands, or communications shall be deemed effective immediately upon receipt.
- 5.9 Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law. This Business Associate Agreement is the entire agreement between the parties in connection with the subject matter herein. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Business Associate Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Business Associate Agreement. Any assignment of this Business Associate Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Business Associate Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Business Associate Agreement and any other agreements between the Parties evidencing their business relationship. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Business Associate Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Business Associate Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Business Associate Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Business Associate Agreement as necessary to bring it into compliance. If, after such thirty (30) day period, the Business Associate Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.
Updated by Glooko on: 05/27/2020