Platform Terms of Use

iollo, Inc. Platform Terms of Use

Last updated: 07/26/2024

Welcome to iollo, Inc. ("iollo," "we," "us," or "our") Platform Terms of Use (these "Terms"). This document outlines the legal agreement between you and iollo regarding your access to and use of our proprietary software as a service (SaaS) platform, available as a web application and/or mobile application (the "Platform").

PLEASE REVIEW THESE TERMS CAREFULLY. By accessing or using the Platform, you confirm that you have read, understood, and agree to be legally bound by these Terms and our Privacy Policy, which is incorporated by reference (collectively, the "Agreement"). If you do not agree to any part of this Agreement, please refrain from using the Platform.

If you are accepting this Agreement on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to this Agreement. In such cases, "you" and "your" will refer to that entity.

We reserve the right to modify, discontinue, or terminate the Platform, or to amend this Agreement, at any time without prior notice. Any modifications to the Agreement will be posted on the Platform. Your continued use of the Platform after such posting indicates your acceptance of the modified Agreement. If you find the modified Agreement unacceptable, your sole recourse is to discontinue use of the Platform.

IMPORTANT NOTICE: THE SECTIONS TITLED "DISPUTE RESOLUTION" AND "CLASS ACTION WAIVER" CONTAIN A BINDING ARBITRATION AGREEMENT AND CLASS ACTION WAIVER. THESE SECTIONS AFFECT YOUR LEGAL RIGHTS. PLEASE READ THEM CAREFULLY.

Capitalized terms not defined in these Terms shall have the meaning set forth in our Privacy Policy.


1. ACCESS AND USE OF THE PLATFORM

1.1 Grant of Rights

Subject to this Agreement, iollo grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable right during the Term to authorize your Authorized Users to access and use the Platform solely for your internal business purposes to evaluate the Platform.

1.2 Restrictions

You agree not to, and will not permit or encourage any third party to:

(a) Reverse engineer, decompile, disassemble, or attempt to discern the Platform's source code or interface protocols;

(b) Modify, adapt, translate, copy, or create derivative works of the Platform;

(c) Resell, distribute, or sublicense the Platform;

(d) Remove or alter any proprietary markings or legends on the Platform;

(e) Use the Platform in violation of applicable law or to build a competitive product or service;

(f) Introduce harmful code into the Platform;

(g) Store or archive Platform data outside the Platform, except for permitted outputs;

(h) Use the Platform for third-party benefit in a service bureau or similar arrangement;

(i) Circumvent Platform security measures or access controls.

1.3 Suspension of Access

iollo reserves the right to immediately deny you access to the Platform, without notice, if you violate these restrictions. We may change the availability of any feature, function, or content of the Platform at any time, without notice or liability to you.


2. AUTHORIZED USERS

2.1 Definition

"Authorized Users" refers to your employees and contractors who access and use the Platform on your behalf.

2.2 User Accounts

Each Authorized User must create an account with unique login credentials (email address and password). Login credentials are non-transferable and must be kept confidential.

2.3 Responsibility

You are responsible for:

(a) Notifying us immediately of any unauthorized use or suspected unauthorized use of login credentials;

(b) All activities associated with Authorized Users' login credentials;

(c) Ensuring Authorized Users comply with these Terms;

(d) Promptly informing us of any need to deactivate or change login credentials.

2.4 Account Deactivation

We reserve the right to disable any Platform account or password at any time if, in our sole discretion, we believe you have failed to comply with these Terms.


3. PERSONAL INFORMATION

Your use of the Platform may involve transmitting certain personal information to us. Our policies regarding the collection and use of such information are governed by our Privacy Policy, which is incorporated into this Agreement by reference.


4. INTELLECTUAL PROPERTY

4.1 Ownership

The Platform contains material owned by iollo or third parties, including software, text, graphics, images, sound recordings, and audiovisual works (collectively, the "Content"). The Content is protected by United States and international copyright, trademark, and other laws.

4.2 Limited License

You have no rights in or to the Content except as expressly permitted under this Agreement. No other use is allowed without our prior written consent. You must retain all copyright and proprietary notices in any copies of the Content you make.

4.3 Restrictions

You may not sell, transfer, assign, license, sublicense, or modify the Content, or reproduce, display, publicly perform, create derivative works of, distribute, or use the Content for any public or commercial purpose. Using or posting the Content on any other website or networked computer environment is expressly prohibited.

4.4 Termination of Rights

If you violate any part of this Agreement, your permission to access and use the Content and the Platform automatically terminates, and you must immediately destroy any copies of the Content.

4.5 Trademarks

The trademarks, service marks, and logos used and displayed on the Platform include registered and unregistered marks of iollo ("iollo Trademarks") and other parties ("Third-Party Trademarks," collectively with iollo Trademarks, the "Trademarks"). Nothing on the Platform should be construed as granting any license or right to use the Trademarks without our prior written permission for each specific use.

4.6 Trade Dress and Other Protections

Elements of the Platform are protected by trade dress, trademark, unfair competition, and other laws and may not be copied or imitated in whole or in part. No Content may be retransmitted without our express, written consent for each instance.


5. YOUR DATA AND PLATFORM-GENERATED INFORMATION

5.1 Definitions

For the purposes of this Agreement:

- "Your Data" means all data and information submitted to the Platform by you and your Authorized Users, including Patient Recordings and personal information of Authorized Users.

- "Patient Recordings" refers to (i) audio and/or video recordings of sessions between you (or your Authorized Users) and patients (including participating family members or friends) that are uploaded to the Platform; and (ii) information and data collected during such sessions and uploaded to the Platform.

- "Protected Health Information" or "PHI" has the meaning defined under HIPAA.

- "Usage Data" means anonymous, analytical data collected by iollo regarding Platform performance and use.

- "Output" refers to medical documentation generated by processing Your Data through the Platform.

5.2 Ownership and License

You retain all rights, title, and interest in Your Data and Output, including all modifications and intellectual property rights. You grant iollo a non-exclusive, worldwide, fully paid-up, royalty-free right and license, with the right to sublicense, to reproduce, use, store, modify, perform, display, and distribute Your Data: (i) during the Agreement term to fulfill iollo's obligations; and (ii) for iollo's internal business purposes, including Platform improvement and analytics capabilities enhancement.

5.3 PHI Processing

We will process PHI included in Your Data in accordance with the Business Associate Agreement (BAA) attached as Schedule A. You are responsible for the accuracy, quality, and legality of Your Data. If this Agreement conflicts with the BAA, the BAA controls regarding PHI processing.

5.4 De-identified and Aggregate Data

We may use De-identified Data (as defined in the BAA) at our discretion and disclose it to third parties. We may link your De-identified Data with your customer ID to customize and train our Platform based on your specific requirements identifiable from Your Data. We may also use and permit third-party access to Your Data and Usage Data in anonymous, aggregated form ("Aggregate Data") for product and service improvement. Aggregate Data does not identify you. You agree that we may collect, use, publish, disseminate, sell, transfer, and exploit Aggregate Data.


6. DATA RETENTION

6.1 Patient Recordings

For Patient Recordings, you may choose to:

(a) Delete them immediately after Platform processing; or

(b) Store them according to your retention settings for other data.

6.2 Your Data

For Your Data, you may choose to:

(a) Retain it in the Platform for 30 days from submission; or

(b) Retain it for the Agreement Term.

6.3 Deletion Process

If you choose the 30-day retention option, we will delete Your Data after this period, except as noted in Section 16. Your Data will remain in our backup system for 7 additional days before final deletion per our data retention policies.

6.4 Responsibility

You have full control over and responsibility for the options you select regarding data retention.


7. FEES

7.1 Payment Obligation

In exchange for Platform access and use, you agree to pay the fees for your selected subscription plan within 30 days of invoice receipt.

7.2 Price Changes

We reserve the right to update our pricing structure with reasonable notice, with changes effective the next service year. We may introduce new or additional fees at any time upon notice.

7.3 Payment Processing

By purchasing a subscription, you agree to pay us through our chosen third-party payment processor. We may change our payment processor at any time.


8. PLATFORM RULES

By using the Platform, you agree to comply with the following rules:

(a) You will not use the Platform for any unlawful purpose;

(b) You will not collect market research for competing businesses;

(c) You will not upload, post, or transmit content that:

- Infringes on any proprietary rights;

- Promotes third-party websites, products, or services;

- Is defamatory, obscene, pornographic, invasive of privacy, or contains hate speech;

- Discloses sensitive information about others;

(d) You will not impersonate others or misrepresent your affiliation;

(e) You will not decompile or reverse engineer Platform software;

(f) You will not interfere with Platform advertisements or safety features;

(g) You will not circumvent Platform protections;

(h) You will not use automated means to download or scrape Platform data, except for compliant search engines and archives;

(i) You will not impose unreasonable loads on our infrastructure;

(j) You will not interfere with Platform operation through viruses, hacking, or other means.

We reserve the right to deny Platform access to anyone, without notice, at our sole discretion.


9. AGE RESTRICTION

The Platform is available only to individuals aged 18 years or older. By entering this Agreement, you represent and warrant that you are at least 18 years old.


10. FEEDBACK

We welcome your feedback, comments, and suggestions for Platform improvements ("Feedback"). While we encourage email communication, please do not send confidential information. You agree that we may use and disclose any ideas, concepts, know-how, or techniques contained in your Feedback for any purpose, including product and service development and marketing, without compensation or attribution to you.


11. DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY

11.1 Disclaimer of Warranties

THE PLATFORM, CONTENT, AND OUR SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." IOLLO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AVAILABILITY, ERROR-FREE OR UNINTERRUPTED OPERATION, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. IF APPLICABLE LAW REQUIRES ANY WARRANTIES WITH RESPECT TO THE PLATFORM, ALL SUCH WARRANTIES ARE LIMITED IN DURATION TO NINETY (90) DAYS FROM THE DATE OF FIRST USE.

11.2 Medical Disclaimer

THE PLATFORM, CONTENT, AND OUTPUT ARE NOT INTENDED TO DIAGNOSE, TREAT, CURE, OR PREVENT ANY DISEASE OR HEALTH CONDITION. YOU AND YOUR AUTHORIZED USERS ARE SOLELY RESPONSIBLE FOR ANY MEDICAL CONCLUSIONS OR TREATMENT DECISIONS BASED ON PLATFORM OUTPUT. THE PLATFORM IS NOT A SUBSTITUTE FOR PROFESSIONAL MEDICAL ADVICE, DIAGNOSIS, OR TREATMENT.

11.3 No Guarantee

IOLLO DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, PERFORMANCE, OR OUTPUT OF THE PLATFORM. IOLLO IS NOT LIABLE FOR ANY HARM OR DAMAGE ARISING FROM PLATFORM USE OR OUTPUT. IOLLO IS NOT RESPONSIBLE FOR DECISIONS MADE BASED ON PLATFORM OUTPUT. YOU AND YOUR AUTHORIZED USERS USE THE PLATFORM AND OUTPUT AT YOUR OWN RISK.

11.4 Limitation of Liability

IN CONNECTION WITH ANY WARRANTY, CONTRACT, OR COMMON LAW TORT CLAIMS:

(a) WE SHALL NOT BE LIABLE FOR ANY INCIDENTAL, CONSEQUENTIAL, OR LOST PROFIT DAMAGES, OR DAMAGES FROM LOST DATA OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF SUCH POSSIBILITY.

(b) ANY DIRECT DAMAGES SHALL BE LIMITED TO THE GREATER OF $100 OR THE TOTAL FEES PAID BY YOU IN THE THREE MONTHS PRECEDING THE CLAIM.


12. EXTERNAL SITES

The Platform may link to third-party websites ("External Sites"). These links are for convenience only and do not imply endorsement. We are not responsible for External Sites' content or accuracy. You access External Sites at your own risk.


13. YOUR REPRESENTATIONS AND WARRANTIES

You represent and warrant that you have:

(a) All rights and permissions necessary to provide or grant us access to and use of Your Data.

(b) Obtained all necessary consents, permissions, and authorizations in accordance with applicable laws regarding Your Data, including patient consents for recording sessions and authorizations for PHI use and disclosure.


14. INDEMNIFICATION

You will indemnify, defend, and hold harmless iollo, its affiliates, and their respective shareholders, members, officers, directors, employees, agents, and representatives (collectively, "iollo Indemnitees") from and against any damages, liabilities, losses, costs, and expenses, including reasonable attorney's fees, incurred by any iollo Indemnitee in connection with a third-party claim arising from your or your Authorized Users':

(a) Breach of this Agreement, including representations and warranties;

(b) Misuse of the Platform, Output, or Content;

(c) Negligence, gross negligence, willful misconduct, fraud, misrepresentation, or violation of law;

(d) Violation of any third-party right, including copyright, trademark, property, or privacy rights.

Our indemnification rights are subject to: (i) prompt notification of the claim; (ii) reasonable cooperation in the defense, at your expense; and (iii) your sole control over defense and settlement negotiations.


15. COMPLIANCE WITH APPLICABLE LAWS

The Platform is based in the United States. We make no claims about its appropriateness or legality of use outside the United States. If you access the Platform from elsewhere, you do so at your own risk. You are solely responsible for compliance with your local laws.


16. TERM AND TERMINATION

16.1 Term

Your right to access and use the Platform begins upon acceptance of these Terms and continues for the duration of your selected subscription plan (the "Term"). The Term automatically renews for consecutive periods equal to your initial subscription duration unless either party notifies the other of non-renewal at least thirty (30) days before the current term's expiration.

16.2 Termination

We reserve the right to change, suspend, discontinue, or terminate your access to all or part of the Platform at any time without prior notice or liability.

16.3 Survival

Sections 4, 5, 6, 7, and 9-21 shall survive the termination of these Terms.


17. DISPUTE RESOLUTION

17.1 Binding Arbitration

Any dispute arising under or relating to this Agreement or the Platform (each, a "Dispute") will be finally and exclusively resolved by binding arbitration governed by the Federal Arbitration Act ("FAA").

17.2 Waiver of Court Proceedings

NEITHER PARTY SHALL HAVE THE RIGHT TO LITIGATE SUCH CLAIM IN COURT OR HAVE A JURY TRIAL, EXCEPT EITHER PARTY MAY BRING ITS CLAIM IN ITS LOCAL SMALL CLAIMS COURT, IF PERMITTED BY THAT COURT'S RULES AND WITHIN ITS JURISDICTION.

17.3 Arbitration Procedure

All disputes will be resolved before a neutral arbitrator selected jointly by the parties, whose decision will be final, except for a limited right of appeal under the FAA. The arbitration shall be commenced and conducted by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures and in accordance with the Expedited Procedures in those rules, or, where appropriate, pursuant to JAMS' Streamlined Arbitration Rules and Procedures.

17.4 Arbitration Costs

Each party will be responsible for paying any JAMS filing, administrative, and arbitrator fees in accordance with JAMS rules.

17.5 Arbitration Location

The arbitration may be conducted in person, through document submission, by phone, or online. If in person, it shall take place in the United States county where you reside.

17.6 Court Proceedings Related to Arbitration

The parties may litigate in court to compel arbitration, stay proceedings pending arbitration, or confirm, modify, vacate, or enter judgment on the arbitrator's award.

17.7 Voluntary Information Exchange

The parties shall cooperate in good faith in the voluntary and informal exchange of all non-privileged documents and information relevant to the Dispute immediately after arbitration commences.


18. CLASS ACTION WAIVER

18.1 Individual Claims Only

You agree that any arbitration or proceeding shall be limited to the Dispute between us and you individually.

18.2 Waiver of Class Proceedings

To the full extent permitted by law:

(a) No arbitration or proceeding shall be joined with any other;

(b) There is no right or authority for any Dispute to be arbitrated or resolved on a class action basis;

(c) There is no right or authority for any Dispute to be brought in a purported representative capacity on behalf of the general public or any other persons.

18.3 Individual Capacity Claims

YOU AGREE THAT YOU MAY BRING CLAIMS AGAINST US ONLY IN YOUR INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.


19. EQUITABLE RELIEF

19.1 Acknowledgment of Harm

You acknowledge that a breach or threatened violation of our intellectual property rights and confidential information would cause irreparable harm to us.

19.2 Injunctive Relief

We may, without waiving other remedies under this Agreement, seek from any court having jurisdiction any interim, equitable, provisional, or injunctive relief necessary to protect our rights and property pending arbitration.

19.3 Consent to Jurisdiction

You irrevocably and unconditionally consent to the personal and subject matter jurisdiction of the federal and state courts in the State of California for purposes of any such action by us.


20. GOVERNING LAW AND FORUM

20.1 Governing Law

This Agreement and any related actions will be governed by the laws of the State of California, without regard to its conflict of laws provisions.

20.2 Exclusive Forum

The Parties consent and agree to the exclusive jurisdiction of state and federal courts in the State of California for all suits, actions, or proceedings directly or indirectly arising from this Agreement. The Parties waive any objections to such courts, including improper venue or inconvenient forum, and irrevocably submit to the exclusive jurisdiction of such courts.


21. MISCELLANEOUS PROVISIONS

21.1 Assignment

You may not assign any rights, duties, or obligations under these Terms to any person or entity, in whole or in part, without written consent from iollo.

21.2 Waiver

Our failure to act on or enforce any provision of the Agreement shall not be construed as a waiver of that provision or any other provision. No waiver shall be effective against us unless made in writing, and no waiver shall be construed as a waiver in any other or subsequent instance.

21.3 Entire Agreement

Except as expressly agreed by us and you in writing, the Agreement constitutes the entire agreement between you and us regarding the subject matter, superseding all previous or contemporaneous agreements, whether written or oral, between the parties on the subject matter.

21.4 Severability

If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.

21.5 Section Headings

Section headings are provided for convenience only and shall not be given any legal import.

21.6 Successors and Assigns

This Agreement will inure to the benefit of our successors, assigns, licensees, and sublicensees.

21.7 No Third-Party Beneficiaries

Nothing in this Agreement, express or implied, is intended to or shall confer upon any third party any legal or equitable right, benefit, or remedy of any nature under or by reason of this Agreement.

21.8 Force Majeure

Neither party shall be liable for any failure or delay in performance under this Agreement due to causes beyond its reasonable control, including but not limited to, acts of God, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, strikes, or shortages of transportation facilities, fuel, energy, labor, or materials.

21.9 Electronic Communications

You consent to receive communications from us electronically. You agree that all agreements, notices, disclosures, and other communications that we provide to you electronically satisfy any legal requirement that such communications be in writing.

21.10 Contact Information

If you have any questions about these Terms, please contact us at [insert contact information].


By using the Platform, you acknowledge that you have read and understood these Terms and agree to be bound by them.


Last Updated: 07/26/2024

Copyright 2024 iollo, Inc. All rights reserved.




SCHEDULE A

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA") is by and between iollo, Inc. ("Business Associate"), and Customer ("Covered Entity"), and is effective as Effective Date.

WHEREAS, the pursuant to these Terms of Use Business Associate will provide certain services to, for, or on behalf of Covered Entity involving the use or disclosure of Protected Health Information ("PHI"), and pursuant to such Terms of Use, Business Associate may be considered a "business associate" of Covered Entity; and

WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Provider Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and the Standards for Privacy of Individually Identifiable Health Information promulgated thereunder by the U.S. Department of Health and Human Services at 45 CFR § 160 and § 164 (the "HIPAA Rules"), and the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"), in each case as amended from time to time; and

WHEREAS, the purpose of this BAA is to satisfy certain standards and requirements of the HIPAA Rules and the HITECH Act, as the same may be amended from time to time.

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, the parties agree as follows:


1. Definitions.

Terms used but not otherwise defined in this BAA shall have the same meaning as set forth in 45 CFR Parts 160, 162 and 164, or the HITECH Act.


2. Obligations of Business Associate.

a. Permitted Uses and Disclosures.

Business Associate agrees to only Use or Disclose PHI as necessary in order to perform the services set forth in the Provider Agreement, as permitted under this BAA, or as Required by Law. Business Associate shall have the right to de-identify any and all PHI, provided that Business Associate implements a de-identification process that conforms to the requirements of 45 C.F.R. 164.514(a)-(c) ("De-identified Data"). Business Associate may Use or Disclose such De-identified Data to third parties at its discretion, as such De-identified Data does not constitute PHI and is not subject to the terms of this BAA. Business Associate shall own all right, title and interest in and to such De-identified Data.

b. Nondisclosure.

Business Associate shall not Use or further Disclose PHI other than as permitted or required by this BAA.

c. Safeguards.

Business Associate shall use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. Business Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its activities.

d. Reporting of Disclosures; Mitigation.

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

e. Business Associate's Agents.

Business Associate shall ensure that any subcontractors, to whom it provides PHI received from (or created or received by Business Associate on behalf of) Covered Entity agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI.

f. Availability of Information to Covered Entity.

Business Associate shall make available to Covered Entity (or, as directed by Covered Entity, to an Individual) such information as Covered Entity may request, and in the time and manner designated by Covered Entity, to fulfill Covered Entity's obligations (if any) to provide access to, provide a copy of, and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Rules, including, but not limited to, 45 CFR §§ 164.524 and 164.528. Requests for information must be submitted at least 14 days in advance of the due date.

g. Amendment of PHI.

Business Associate shall make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity, to fulfill Covered Entity's obligations (if any) to amend PHI pursuant to HIPAA and the HIPAA Rules, including, but not limited to, 45 CFR § 164.526, and Business Associate shall, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate.

h. Internal Practices.

Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) available to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with HIPAA and the HIPAA Rules.

i. Documentation of Disclosures for Accounting.

Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

j. Access to Documentation for Accounting.

Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information documented in accordance with Section 2(i) of this BAA in a time and manner as to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

k. Notification of Breach.

During the Term of this BAA, Business Associate shall notify Covered Entity within ten (10) days of Discovery of any Breach of Unsecured PHI. Business Associate further agrees, consistent with Section 13402 of the HITECH Act, to provide Covered Entity with information necessary for Covered Entity to meet the requirements of said section, and in a manner and format to be specified by Covered Entity.

l. Minimum Necessary.

When using, disclosing, or requesting PHI from the Covered Entity, or in accordance with any provision of this BAA, Business Associate shall limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.


3. Obligations of Covered Entity.

a. Covered Entity shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to the BAA and this BAA, in accordance with the standards and requirements of HIPAA and the HIPAA Rules, until such PHI is received by Business Associate.

b. Upon request, Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.

c. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses or disclosures.

d. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, if such restriction affects Business Associate's permitted or required uses or disclosures.


4. Term and Termination.

a. Term. The Term of this BAA shall become effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this Section. The provisions of this BAA shall survive termination of the BAA to the extent necessary for compliance with HIPAA and the HIPAA Rules.

b. Material Breach. A material breach by either party of any provision of this BAA shall constitute a material breach of the BAA, if such breach is not cured by the breaching party within thirty (30) days of receipt of notice describing the material breach.

c. Reasonable Steps to Cure Breach. If either party learns of an activity or practice of the other party that constitutes a material breach or violation of the other party's obligations under the provisions of this BAA, then the non-breaching party shall notify the breaching party of the breach and the breaching party shall take reasonable steps to cure such breach or violation, as applicable, within a period of time which shall in no event exceed thirty (30) days. If the breaching party's efforts to cure such breach or violation are unsuccessful, the non-breaching party shall either terminate the BAA, if feasible, or if termination of the BAA is not feasible and the breaching party has violated the HIPAA Rules, the non-breaching party may report the breaching party's breach or violation to the Secretary.

d. Judicial or Administrative Proceedings. Either party may terminate the BAA, effective immediately, if the other party is named as a defendant in a criminal proceeding for an alleged violation of HIPAA, or a finding or stipulation that the other party has violated any standard or requirement of HIPAA or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined.

e. Effect of Termination.

  1. Except as provided in paragraph (e)(2) of this Section or if required by law or regulation to be maintained by Business Associate, upon termination of the BAA for any reason, Business Associate shall return at Covered Entity's expense, or destroy all PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) that Business Associate still maintains in any form, and shall retain no copies of such PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
  2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The obligations of Business Associate under this Section shall survive the termination of the BAA.

5. Amendment to Comply with Law.

The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of the BAA may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Rules, the HITECH Act, and other applicable laws relating to the security or confidentiality of PHI. Upon the request of either party, the parties shall promptly enter into negotiations concerning the terms of an amendment to the BAA embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Rules, the HITECH Act, or other applicable laws relating to security and privacy of PHI. Either party may terminate the BAA upon thirty (30) days' written notice in the event the other party does not promptly enter into negotiations to amend the BAA when requested pursuant to this Section, or does not enter into an amendment to the BAA providing assurances regarding the safeguarding of PHI that satisfy the standards and requirements of HIPAA, the HIPAA Rules, the HITECH Act, or any other applicable laws relating to security and privacy of PHI.


6. No Third Party Beneficiaries.

Nothing in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever and no other person or entity shall be a third party beneficiary of this BAA.


7. Effect on BAA.

Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the BAA shall remain in full force and effect.


8. Interpretation.

This BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Rules and any other applicable law relating to security and privacy of PHI. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.


9. Regulatory References.

A reference in this BAA to a section in the HIPAA Rules or the HITECH Act means the section as in effect or as amended, and for which compliance is required.