Terms of Use
Last Updated: 6/16/2022
Dentagraphics Terms of Use
These Customer Terms of Service (the "Terms") are between Dentagraphics, LLC ("Dentagraphics") and the Customer identified in the accompanying Order ("Customer" or "you"). If Customer is a business or other legal entity, the person accepting these Terms on behalf of Customer represents that he or she has the authority to bind such entity to these terms and conditions.
PLEASE READ THESE TERMS CAREFULLY BEFORE ACCEPTING THEM BY SIGNING THE ACCOMPANYING ORDER. THESE TERMS GOVERN THE LICENSE AND USE OF ALL SERVICES AND SOFTWARE OFFERED BY DENTAGRAPHICS AND PROVIDED TO CUSTOMER AND ITS USERS UNDER THE ORDER(S) SUBMITTED BY CUSTOMER. BY SUBMITTING THE ORDER, YOU ARE INDICATING YOUR ACCEPTANCE OF THE TERMS IN THEIR ENTIRETY, INCLUDING DATA USAGE, WARRANTY AND BUSINESS ASSOCIATE AGREEMENT TERMS. IF YOU DO NOT ACCEPT THESE TERMS, DO NOT SUBMIT THIS ORDER.
Definitions
As used in these Terms of Use:
"Anonymized Data" means data, including Customer Data, from which PHI or Personal Information has been removed or de-identified.
"BAA" means the Business Associate Agreement attached hereto as Exhibit A.
"Customer Data" means all electronic data, content and information input by or acquired from Customer and Users in connection with a Subscription or using the Service, including any PHI or Personal Information of individuals.
"Dentagraphics Materials" means the Service, software, documentation, website, its contents and interfaces, Dentagraphics trademarks and service marks, custom developments, training materials, and other written or electronic documents and materials produced by Dentagraphics that relate to the Service, and all intellectual property rights in the foregoing. Dentagraphics Materials include Anonymized Data and Usage Data but do not include Customer Data that contains Personal Information or PHI that is not anonymized or de-identified.
An "Order" means any Customer request to purchase a Subscription or Services. Each Order incorporates by reference and includes these Terms as though fully written therein.
"Patient" means the patient of a Customer.
"Payment Option" means a current, valid method of payment accepted by Dentagraphics.
"Protected Health Information" or "PHI" has the meaning given to Protected health information in 45 CFR § 160.103.
"Personal Information" or "PI" means Information about an individual that identifies, relates or is unique to, or describes him or her, including a social security number, age, military rank, civilian grade, marital status, race, salary or home/office phone numbers.
"Service" means the reports, tools, data, guidance and analysis provided by Dentagraphics for starting, acquiring, monitoring, analyzing and growing dental practices, including all features and functionalities, recommendations and reports, the website, interfaces, content and software associated with delivering the Service.
"Software" means the computer code and software program(s) that Dentagraphics makes available to Customer through the Subscription or uses to provide any Service.
"Subscription" means the subscription plan specified in an Order for providing online access to hosted Dentagraphics Software and any related products and Services offered by Dentagraphics that are made available online to Customer, including any associated offline components. "Subscription" includes those services or products provided by third parties.
"Usage Data" means metadata and other data related to Customers’ and Users’ use of the Service. Dentagraphics shall own such Usage Data, other than the Personal Information incorporated therein. Dentagraphics shall have the perpetual right to collect, aggregate, use, distribute and sell such Usage Data for any legal purpose, including without limitation for the purposes of providing services and improving the Service and Company’s products and services generally. Dentagraphics may retain and use Usage Data permanently. To the extent such Usage Data contains any individually identifiable data or Personal Information, Dentagraphics shall not sell or otherwise provide such Usage Data to any third party unless the data been anonymized (e.g., no name or address attached to the particular data) and/or aggregated with other users’ data, so that it is not identifiable as to any particular person. Notwithstanding the foregoing, Dentagraphics may share Usage Data in its original form as necessary or appropriate to provide services to Customer (for example, using a third party to process payments) or to comply with legal obligations.
A "User" means any employee, independent contractor, staff or other individual that a Customer authorizes to use a Subscription or obtain Services as allowed by these Terms.
"License". Dentagraphics grants Customer a non-exclusive, non-transferable right and license, during the term of these Terms, to access and use the Subscription and Service during the Term. The License is subject to the following terms, conditions and limitations:
Subscriptions
Subscriptions will continue for the period selected by you, the Customer. If You select a Subscription product, your Subscription will automatically renew until terminated. To use the Dentagraphics service you must provide us with one or more Payment Options. You must cancel your Subscription before it renews to avoid a Subscription charge to your Payment Option for the next billing cycle. Details regarding your Subscription are available under your "Account" link on the Dentagraphics website.
We are not responsible for the products and services provided by third parties.
We may from time to time make promotional offers. Promotional offer eligibility is determined by Dentagraphics at its sole discretion. We reserve the right to revoke an Offer. We reserve the right to not activate or to put your account on hold if we determine you are not eligible for an Offer.
Subscription fees are fully earned upon payment. In some cases, your payment date may change, for example, if your Payment Option has not successfully settled, when you change your Subscription plan, or if your Subscription began on a day not contained in a month. Details regarding your payment details are available in the "Settings" module at app.dentagraphics.com. We may authorize your Payment Option in anticipation of membership or service-related charges through various methods, including authorizing it up to approximately one month of service when you register.
You authorize us to charge any Payment Option associated to your account if your primary Payment Option is declined or not available to us. You remain responsible for any unpaid Subscription. If a payment is not successfully settled, due to expiration, insufficient funds, or otherwise, and you do not cancel your account, we may suspend your access to the Service until we have successfully charged a valid Payment Option. For some Payment Options, the issuer may charge you certain fees, such as foreign transaction fees or other fees relating to the processing of your Payment Option. Dentagraphics is not responsible for such issuer fees.
Updating your Payment Options. You can update your Payment Options by going to the "Settings" module. We may also update your Payment Options using information provided by the payment service providers. Following any update, you authorize us to charge the applicable Payment Option(s).
Cancellation. You can cancel your Service subscription at any time, and you will continue to have access to the Service through the end of your billing period. To cancel, go to the "Settings" page at app.dentagraphics.com and turn off Auto Renew. When you cancel your subscription renewal, your account will automatically close at the end of your current billing period. To see when your account will close, see "My Subscriptions" on your "Settings" page.
Changes to the Price and Subscription Plans. We reserve the right to change our Subscription plans or adjust future pricing for our Subscriptions or Service or any components thereof in any manner and at any time as we may determine in our sole and absolute discretion. Except as otherwise expressly provided for in these Terms of Use, any price changes or changes to your Subscription plan will take effect following notice to you.
No Refunds. Payments are nonrefundable and there are no refunds or credits for partially used subscription periods. Following any cancellation, however, you will continue to have access to the Service through the end of your current billing period. Dentagraphics may, at any time, and for any reason, provide a refund, discount, or other consideration to You or other Customers ("Credits"). The amount and form of such Credits, and the decision to provide them, are at the sole and absolute discretion of Dentagraphics. The provision of credits to You in one instance does not entitle You to credits in the future for other instances, including similar ones, nor does it obligate us to provide credits in the future, under any circumstance.
Intellectual Property. This website, the Service and all content on the website and all software used to deliver the Service are owned or licensed by Dentagraphics or other third parties and are protected from any unauthorized use, copying and dissemination by copyrights, trademarks, service marks, international treaties, and/or other proprietary rights and laws of the U.S. and other countries. The Service is also protected as a collective work or compilation under U.S. copyright and other laws and treaties. All individual articles, search results and other elements making up the Service are also copyrighted works. You agree to abide by all applicable copyright and other laws, as well as any additional copyright notices or restrictions contained in the Service. You acknowledge that the Service have been developed, compiled, prepared, revised, selected, and arranged by Dentagraphics and others (including certain other information sources) through the application of methods and standards of judgment developed and applied through the expenditure of substantial time, effort, and money and constitutes valuable intellectual property of Dentagraphics and such others. You agree to protect the proprietary rights of Dentagraphics and all others having rights in the Service during and after the term of this agreement and to comply with all reasonable written requests made by Dentagraphics or its suppliers and licensors of content, equipment, or otherwise ("Suppliers") to protect their and others' contractual, statutory, and common law rights in the Service and Reports. You agree to notify Dentagraphics in writing promptly upon becoming aware of any unauthorized access or use of the Service or Reports by any individual or entity or of any claim that the Service infringes upon any copyright, trademark, or other contractual, statutory, or common law rights. All present and future rights in and to trade secrets, patents, copyrights, trademarks, service marks, know-how, and other proprietary rights of any type under the laws of any governmental authority, domestic or foreign, including rights in and to all applications and registrations relating to the Service (the "Intellectual Property Rights") shall, as between you and Dentagraphics, at all times be and remain the sole and exclusive property of Dentagraphics. All present and future rights in and title to the Service (including the right to exploit the Service and any portions of the Service over any present or future technology) are reserved to Dentagraphics for its exclusive use. Except as specifically permitted by Dentagraphics in writing, you may not copy or make any use of the Service or any portion thereof. Except as specifically permitted herein, you shall not use the Intellectual Property Rights or the Service, or the names of any individual participant in, or contributor to, the Service, or any variations or derivatives thereof, for any purpose, without Dentagraphics's prior written approval.
Customer's Obligations Relating to Data. Customer has the sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership of or right to use all Customer Data. Customer agrees that it is solely responsible for the nature, quality and accuracy of all Customer Data. Customer will promptly handle and resolve any notices and claims relating to the Customer Data, including any notices sent by any person claiming that any Customer Data violates any person's rights, such as take-down notices pursuant to the Digital Millennium Copyright Act and any other notices. Customer hereby grants Dentagraphics and its contractors the right, to use, modify, adapt, reproduce, distribute, display and disclose Customer Data posted on the Subscription Service solely to the extent necessary to provide the Subscription Service and other Services or as otherwise permitted by these Terms.
User Obligations. Each User accepts these Terms as a condition of using the Subscription or obtaining any Service. Customer is responsible for ensuring that its Users comply with these Terms.
Ownership
As between the parties, Dentagraphics owns and retains all right, title and interest in and to the Service and all other Dentagraphics Materials. Dentagraphics also owns all right, title and interest in and to anonymized and aggregated Customer Data, as detailed below under the heading, Anonymized Data. Third Party Software is owned by the applicable copyright holders. Portions of Dentagraphics's software and other materials may be licensed to it by third parties. The Subscription Service and all other Dentagraphics Materials may be used by Customer and Users only for the purposes described in these Terms. Any rights not expressly granted herein are reserved by Dentagraphics. Neither these Terms nor any other agreement between the parties changes ownership of any pre-existing software or other materials.
As between the parties, Customer owns and shall retain all right, title and interest in and to all Customer Data, except for Usage Data and Anonymized Data.
Anonymized Data. Unless otherwise prohibited by applicable law, Dentagraphics may anonymize or de-identify PHI or Personal Information in accordance with the provisions of applicable law and use and disclose Anonymized Data for any legal purpose. Dentagraphics owns all right, title and interest in and to Anonymized Data. Dentagraphics may also use PHI or Personal Information to prepare analyses and reports for the Customer using that Customer's Customer Data. Such reporting will be done in a manner that does not disclose PHI or Personal Information in a manner prohibited by law.
Modifications. Customer and Users may not modify the Subscription Service or other Dentagraphics Materials in any way, other than adding, modifying, and deleting its own Customer Data. Customer acknowledges and agrees that Dentagraphics may make Modifications to the Subscription Service and other Dentagraphics Materials from time to time, in Dentagraphics' sole discretion. Dentagraphics reserves the right, in its sole discretion, to make unscheduled deployments of Modifications at any time and may add or remove functionalities or features and may suspend the Subscription Service while updating it.
Privacy and Security Relating to PHI and Personal Information.
Reasonable Safeguards. Dentagraphics agrees to maintain commercially reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Customer Data, including PHI and other Personal Information. Dentagraphics will not disclose or use PHI or Personal Information except (i) as set forth in these Terms, the Privacy Policy or the BAA, (ii) as compelled by law, (iii) as expressly permitted or instructed by Customer, or (iv) as reasonably necessary to provide the Subscription Service and other Services.
Business Associate Agreement. With respect to the PHI contained in Customer Data or that Dentagraphics otherwise accesses in connection with these Terms, the parties hereby agree to and incorporate by reference the terms of the BAA attached hereto as Exhibit A. In the event of a conflict between the BAA, these Terms or the Privacy Policy, the BAA will control with respect to PHI.
Privacy Policy. The Personal Information contained in Customer Data or that Dentagraphics otherwise accesses in connection with these Terms, the registration process or otherwise, is governed by the Privacy Policy. The Privacy Policy sets forth Dentagraphics' policies and practices for collecting, using, maintaining, protecting and disclosing Personal Information. If a User does not agree with the Privacy Policy, the User may not use the Subscription, Software or Website.
Rights of Data Subjects. Dentagraphics will comply with Users' and Patients' reasonable requests regarding the treatment and use of their Personal Information under the Privacy Policy and applicable laws and regulations. Requests relating to PHI will be handled in accordance with the BAA.
Remote Log-in Services. In connection with the provision of technical support, training and other Services, you agree that Dentagraphics may remotely log in to your computers, devices and systems for purposes of installing the Software, accessing Customer Data, or providing support, training or other Services, including, without limitation, technical trouble shooting, answering questions, benchmarking and providing training to you or your personnel. Remote login may be conducted through the use of third party entities. You further agree that Dentagraphics may also remotely log in at any time as necessary or appropriate to maintain its Services.
Access to Your System. You agree to keep your computers powered on during the Subscription Service runtimes that you specify. You must add Dentagraphics or its third party affiliate to the "allowed" list of programs and ensure that your firewall and anti-virus software programs do not block the Services. Additionally, your practice management software must always be accessible by Dentagraphics. It is your responsibility to contact Dentagraphics if you are upgrading or changing your computer systems.
Access to Third Party Services. The Subscription Service may require you to give Dentagraphics access to or require you to provide login information and password information for accounts or services you may have with third party providers that link to a Service. When you provide this information to Dentagraphics or give Dentagraphics access to these third party accounts, you agree that you have read all contracts and written agreements governing such access, login information and passwords and that you have all the necessary contractual and legal rights to give Dentagraphics such access, login information and passwords.
Customer's Warranties. Customer represents and warrants to Dentagraphics that:
- Customer has full power and authority to enter into these Terms and make the agreements specified herein.
- Customer shall not have any right or authority to make any representations or warranties on Dentagraphics' behalf, except as expressly approved in writing by Dentagraphics; or to assume or create any obligations or responsibilities, express or implied, on behalf of Dentagraphics; or to bind Dentagraphics in any way; except as expressly set forth in these Terms. Dentagraphics shall not be liable for any unauthorized representations or warranties made by Customer.
- Customer Data will not violate any person's right of privacy or any copyright, trademark, or other intellectual property rights, and Customer will not transmit any such materials to Dentagraphics. Customer has all the rights in the Customer Data necessary for Customer to use the Subscription Service and to grant the rights in these Terms; and the storage, use or transmission of the Customer Data pursuant to the terms of these Terms does not violate any laws or regulations or these Terms.
Limitations of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL DENTAGRAPHICS, ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS OR LICENSORS BE LIABLE FOR (i) ANY INDIRECT, INCIDENTAL, UNFORESEEABLE, SPECIAL, PUNITIVE, COVER OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, REVENUE, GOODWILL, USE OR CONTENT); (ii) COSTS OF PROCUREMENT OR SUBSTITUTE GOODS OR SERVICES; (iii) ANY LOSS OF DATA OR OTHER CONTENT RESULTING FROM DELAYS, NON-DELIVERIES, MIS-DELIVERIES, SECURITY BREACHES TO, SERVICE INTERRUPTIONS TO, OR ERRORS OR OMISSIONS RESPECTING THE SUBSCRIPTION SERVICE OR DENTAGRAPHICS' OPERATIONS. THIS LIMITATION APPLIES TO DAMAGES HOWEVER CAUSED, UNDER ANY THEORY OF LIABILITY, INCLUDING, WITHOUT LIMITATION, CONTRACT, TORT, WARRANTY, NEGLIGENCE OR OTHERWISE, EVEN IF DENTAGRAPHICS HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE AGGREGATE LIABILITY OF DENTAGRAPHICS AND ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS OR LICENSORS, RELATING TO THE SUBSCRIPTION SERVICE AND THESE TERMS WILL BE LIMITED TO THE GREATER OF AN AMOUNT EQUAL THREE MONTHS OF YOUR FEES FOR THE SUBSCRIPTION SERVICE OR FIVE DOLLARS ($5.00).
GENERAL. THE LIMITATIONS AND EXCLUSIONS OF THIS SECTION APPLY EVEN IF THIS REMEDY DOES NOT FULLY COMPENSATE YOU FOR ANY LOSSES OR FAILS OF ITS ESSENTIAL PURPOSE.
NOTHING IN THESE TERMS OF USE SHALL AFFECT ANY NON-WAIVABLE STATUTORY RIGHTS THAT APPLY TO YOU.
Indemnification. To the extent permitted by law, you will indemnify, defend and hold harmless Dentagraphics, including its affiliates, officers, directors, agents, employees, contractors, licensors, and other business partners, from and against any claim, demand, judgment, liability, costs, expense (including attorney fees and costs), cost, loss, damage, or other liability arising from any third party demand or claim (i) arising out of your breach or alleged breach of these Terms, (ii) relating to any Customer Data uploaded or provided by you, (iii) relating to the products and services that you or your company or organization provide, or (iv) regarding your violation of any applicable law, rule, or regulation. This indemnity does not apply if the claim is based upon Dentagraphics' gross negligence or willful misconduct.
Third Party Software. The parties acknowledge that the Software contains Third Party Software components. Third Party Software that is embedded in the Software or provided by Dentagraphics as an integrated part of any Service, is sublicensed by Dentagraphics to Customer pursuant to these Terms, as applicable, unless Dentagraphics provides a separate third party license(s) for such Third Party Software to Customer. Third Party Software is licensed only for use in connection with the Software, Subscription and Service.
Limits on Use of the Service
The Dentagraphics Service and any content viewed through our Service are for your own use only and may not be shared with individuals beyond those directly involved in finding a location or existing practice for you to build a new practice or acquire an existing one. During your Dentagraphics Subscription, we grant you a limited, non-exclusive, non-transferable right to access the Dentagraphics Service and view Dentagraphics content through the Service. Except for the foregoing, no right, title or interest shall be transferred to you.
You agree to use the Service, including all features and functionalities associated therewith, in accordance with all applicable laws, rules and regulations, or other restrictions on use of the service or content therein. Except as explicitly authorized in these Terms of Use, you agree not to archive, download, reproduce, distribute, modify, display, perform, publish, license, create derivative works from, offer for sale, or use content and information contained on or obtained from or through the Dentagraphics Service. You also agree not to circumvent, remove, alter, deactivate, degrade or thwart any of the content protections in the Service; use any robot, spider, scraper or other automated means to access the Service; decompile, reverse engineer or disassemble any software or other products or processes accessible through the Service; insert any code or product or manipulate the content of the Service in any way; or use any data mining, data gathering or extraction method. In addition, you agree not to upload, post, e-mail or otherwise send or transmit any material designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment associated with the Dentagraphics Service, including any software viruses or any other computer code, files or programs.
The Software is developed by, or for, Dentagraphics and may solely be used in connection with the Service. This software may vary in functionality by device and medium, and functionalities may also differ between devices.
Passwords and Account Access. The member who created the Dentagraphics account and whose Payment Option is charged (the "Account Owner") is responsible for any activity that occurs through the Dentagraphics account. The Account Owner shall maintain control over the Dentagraphics credentials that are used to access the Service and not reveal any password or details of the Payment Option associated with the account to anyone. Customer is responsible for updating and maintaining the accuracy of the information provided to Dentagraphics relating to its account. Dentagraphics is not obligated to credit or discount a Subscription for holds placed on the account by either a representative of Dentagraphics or by the automated processes of Dentagraphics.
Miscellaneous
Governing Law. These Terms of Use shall be governed by and construed in accordance with the laws of the state of Ohio, U.S.A. without regard to conflict of laws provisions. These terms will not limit any consumer protection rights that you may be entitled to under the mandatory laws of your state of residence.
Survival. If any provision or provisions of these Terms of Use shall be held to be invalid, illegal, or unenforceable, the validity, legality and enforceability of the remaining provisions shall remain in full force and effect.
Changes to Terms of Use and Assignment. Dentagraphics may, from time to time, change these Terms of Use. Such revisions shall be effective immediately; provided however, for existing members, such revisions shall, unless otherwise stated, be effective 30 days after posting. We may assign our agreement with you to any affiliated company or to any entity that succeeds to all or substantially all of our business or assets related to the applicable Dentagraphics service.
Communication Preferences. We will send you information relating to your account (e.g. payment authorizations, invoices, changes in password or Payment Option, confirmation messages, notices) in electronic form only, for example via emails to your email address provided during registration. You agree that any notices, agreements, disclosures or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing.
EXHIBIT A
BUSINESS ASSOCIATE AGREEMENT
If Customer is a Covered Entity or a business associate and includes Protected Health Information in Customer Data provided to Dentagraphics as a business associate, the Customer Terms of Use between the parties (the "Terms") will automatically incorporate the terms of this Business Associate Agreement ("BAA") as part of the overall agreement between the parties. If there is any conflict between a provision in this BAA and a provision in the Terms, this BAA will control. In this BAA, Customer is referred to as "Covered Entity" and Dentagraphics is referred to as "Business Associate."
Unless otherwise defined in this BAA, capitalized terms have the meanings set forth in the HIPAA Privacy and Security Rules, 45 C.F.R. Parts 160, 162 and 164, as modified from time to time.
WHEREAS, Business Associate has been engaged by Covered Entity to perform certain services under the Terms, wherein Business Associate may need to access, use and/or disclose Protected Health Information received from Covered Entity as a business associate; and
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Terms are in accordance with applicable federal statutory and regulatory requirements relating to the access, use and disclosure of Protected Health Information, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 C.F.R. Parts 160, 162 and 164 (respectively the "Privacy Standards" and "Security Standards" ) under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act, as set forth in Subtitle D of the American Recovery and Reinvestment Act of 2009 ("HITECH"); and
WHEREAS, the purpose of this Business Associate Agreement is to satisfy the applicable standards and requirements of HIPAA, HITECH, the Privacy Standards and the Security Standards and regulations thereunder;
NOW, THEREFORE, in consideration of the foregoing recitals and the mutual covenants set forth herein, Business Associate and Covered Entity agree as follows:
- Definitions:
- "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this BAA, shall mean Dentagraphics, LLC.
- "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this BAA, shall mean the party identified as the Covered Entity in the first paragraph above.
- "Electronic Health Record" shall have the same meaning as the term "electronic health record" in the American Recovery and Reinvestment Act of 2009, § 13400(5).
- "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 and regulations issued thereunder, as may be expanded by HITECH.
- "Protected Health Information" or "PHI" has the meaning given to Protected Health Information in the HIPAA Rules.
- Other Terms. The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (or "Electronic PHI"), Electronic Transactions Rule, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Transaction, Unsecured Protected Health Information, and Use.
- Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as then in effect or as amended.
- Scope: This BAA sets forth the terms and conditions pursuant to which all PHI that is provided, created, exchanged or received by and between Business Associate and Covered Entity will be handled. Business Associate and Covered Entity will comply with all applicable laws, including those governing the creation, use, disclosure, access, storage, and maintenance of PHI.
- Duties and Responsibilities of Business Associate: Business Associate agrees to:
- Use and Disclosure of PHI. Not Use or Disclose PHI other than as permitted or required by this BAA, as set forth in Section 4.a below, or as required by applicable law;
- Safeguards. Use reasonable and appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 and HITECH with respect to electronic PHI, to protect the security of all PHI received from Covered Entity against Security Incidents, prohibited Uses or Disclosures of PHI or other misuse of PHI, as required by the HIPAA Rules;
- Required Reporting. Report to Covered Entity, within thirty (30) days, any prohibited Use or Disclosure of PHI received from Covered Entity of which Business Associate becomes aware, by Business Associate, any of its employees, Subcontractors or agents, or any third party receiving or obtaining such PHI from or through Business Associate, including Breaches of Unsecured Protected Health Information, in addition to any other reporting obligations of Business Associate under the HIPAA Rules, and report any Security Incident of which it becomes aware; provided, however, that the parties acknowledge and agree that from time to time Unsuccessful Security Incidents may occur, that this section constitutes notice to Covered Entity for such incidents, and that no additional notice to Covered Entity is required for such incidents. "Unsuccessful Security Incidents" means any pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and/or comparable attacks or attempts, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. Such reports will include a description of the PHI used or disclosed and the nature of the Use or Disclosure, to the extent such information is known by Business Associate;
- Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI or Electronic PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI or Electronic PHI; including the obligation to report to Business Associate any instances of which it is aware of violation of the BAA with respect to PHI or Electronic PHI;
- Individual and Third Party Requests. If Business Associate receives a request from an Individual or any third party to inspect, obtain a copy of, or amend PHI, Business Associate will forward such request in writing to Covered Entity within five (5) business days of receiving the request. Covered Entity will be responsible for making all determinations regarding the third party request for PHI; Business Associate will neither make such determinations nor release PHI to a third party pursuant to such a request, except if and to the extent required by the HIPAA Rules;
- Designated Record Sets. If Business Associate's services under the Terms require it to maintain a Designated Record Set, then:
- within ten (10) business days of Covered Entity's request to Business Associate for a copy of PHI, Business Associate will provide the requested PHI to Covered Entity, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524; and
- Business Associate will make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526;
- Accounting of Disclosures. Maintain and, within thirty (30) days of receiving a request, or sooner if Required by Law, make available the information required to provide an accounting of disclosures to either Covered Entity or the Individual as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528, for a period of at least six (6) years following the date of termination of this BAA;
- Comply with Applicable Obligations of Covered Entity. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s);
- Books and Records. Make its internal practices, books, and records relating to the Use and Disclosure of Covered Entity's PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules. Neither Business Associate nor Covered Entity waives any attorney-client, accountant-client, or other legal privilege or confidentiality as a result of this Section 3.i; and
- Training. Business Associate will require each employee who will have access to PHI of Covered Entity, to comply with the restrictions and conditions applicable to Business Associate herein. Business Associate will train its employees who may have access to PHI regarding the terms and conditions of this BAA and their obligations under the HIPAA Rules.
- within ten (10) business days of Covered Entity's request to Business Associate for a copy of PHI, Business Associate will provide the requested PHI to Covered Entity, as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524; and
- Electronic PHI. Business Associate will comply with the Security Standards and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits on Covered Entity's behalf, as required by the Security Standards. Business Associate shall review and modify the security measures implemented in accordance with the above as needed to continue provision of reasonable and appropriate protection of Electronic PHI. Business Associate shall update documentation of such security measures in accordance with 45 C.F.R. § 164.316(b)(2)(iii) and shall designate a security officer and undertake appropriate training of its personnel in accordance with the Security Standards.
- Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of Covered Entity for which the Department of Health and Human Services has established standards, Business Associate shall comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule.
- Use and Disclosure of PHI. Not Use or Disclose PHI other than as permitted or required by this BAA, as set forth in Section 4.a below, or as required by applicable law;
- Permitted Uses and Disclosures by Business Associate:
- Permitted Uses and Disclosures. Business Associate may only Use or Disclose PHI received from Covered Entity:
- as required to perform services for Covered Entity as specified under the Terms or other agreement between the parties;
- for Business Associate's proper management and administration (including improving its services), or to carry out the legal responsibilities of Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
- to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, if so provided under the Terms or otherwise agreed in writing by the parties; and/or
- to create de-identified information, in accordance with the standards set forth in 45 CFR 164.514(a)-(c), and to use and disclose such de-identified information for any purpose permitted by law.
- Required Uses and Disclosures. Business Associate shall disclose PHI (i) when required by the Secretary of HHS under 45 C.F.R. Part 160, Subpart C to investigate or determine Business Associate' compliance with Subchapter C of 45 C.F.R., Subtitle A, and (ii) to Covered Entity, the individual or the individual's designee, as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524(c)(2)(ii) and (3)(ii) with respect to the individual's request for an electronic copy of his or her PHI.
- as required to perform services for Covered Entity as specified under the Terms or other agreement between the parties;
- Access. Business Associate will make available PHI in accordance with 45 C.F.R. § 164.524, upon request from Covered Entity, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524.
- Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of the PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation of 45 C.F.R. § 164.502(b) if neither Business Associate nor Covered Entity is required to limit its use, disclosure or request to the minimum necessary. Business Associate and Covered Entity acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with 45 C.F.R. § 164.502(b).
- Subpart E. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth in Section 4.a.
- Permitted Uses and Disclosures. Business Associate may only Use or Disclose PHI received from Covered Entity:
- Obligations of Covered Entity:
- Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
- Notice of Changes in Consent. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate's Use or Disclosure of PHI.
- Notice of Restrictions. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI.
- Permitted Requests. Covered Entity will not request or require Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
- Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
- Term and Termination:
- Term. The Term of this BAA shall begin upon the effective date of the Terms and shall continue in effect until terminated as provided herein and until Business Associate returns or destroys all PHI of Covered Entity.
- Termination at End of Business Association. This BAA will automatically terminate without further action of the parties upon the termination or expiration of the business association between Business Associate and Covered Entity.
- Termination for Cause. If either party materially breaches this BAA, the other party may terminate this BAA and, at its election, the underlying Terms, subject to thirty (30) days prior written notice and opportunity to cure the breach.
- Effect of Termination. Within thirty (30) days of the termination of this BAA, Business Associate will either return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form (including any information in the possession of any employee, Subcontractor or other agent of Business Associate). Upon request of Covered Entity, Business Associate will provide a certificate to Covered Entity acknowledging such destruction. Business Associate will thereafter retain no written, digital, back-up or other copies of any PHI of Covered Entity. Notwithstanding the foregoing, if the return or destruction of PHI upon termination is not feasible, Business Associate shall so inform Covered Entity and will continue to maintain the security and privacy of such Protected Health Information in a manner consistent with the obligations of this BAA and as required by applicable law, for so long as Business Associate is in possession of such information. Business Associate will return or destroy such retained PHI as soon as is reasonably feasible. Business Associate may retain all de-identified information created prior to the date of termination of this BAA. The obligations of Business Associate under this Section 6 shall survive the termination of this BAA.
- Term. The Term of this BAA shall begin upon the effective date of the Terms and shall continue in effect until terminated as provided herein and until Business Associate returns or destroys all PHI of Covered Entity.
- Ownership: All PHI that Covered Entity discloses to Business Associate pursuant to this BAA is and will remain the property of Covered Entity.
- Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION IN THIS BAA, UNDER NO CIRCUMSTANCES WILL BUSINESS ASSOCIATE HAVE ANY OBLIGATION OR LIABILITY HEREUNDER FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, COLLATERAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES INCURRED BY COVERED ENTITY (INCLUDING DAMAGES FOR LOST BUSINESS, LOST PROFITS, COSTS OF COVER, COSTS OF DELAY, OR DAMAGES TO BUSINESS REPUTATION), REGARDLESS OF HOW SUCH DAMAGES ARISE, WHETHER OR NOT BUSINESS ASSOCIATE WAS ADVISED SUCH DAMAGES MIGHT ARISE, OR THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. IN NO EVENT SHALL BUSINESS ASSOCIATE HAVE ANY OBLIGATION, OR BE LIABLE FOR ANY DAMAGES, DIRECT OR OTHERWISE, UNDER THIS BAA IN EXCESS OF THE TOTAL AMOUNTS PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE PURSUANT TO THE TERMS. These limitations are cumulative; the sum of multiple claims may not exceed such limit.
- Miscellaneous:
- Assignment; Binding Effect: This BAA is personal to Business Associate and Covered Entity and may not be assigned or delegated by either party without the prior written consent of the other party in each instance; provided, however, that in the event of a permitted assignment of the Terms, this BAA may be assigned together with the Terms. This BAA shall be binding upon and shall inure to the benefit of the parties hereto and their respective representatives, successors, and permitted assigns.
- Entire BAA; Amendment: This BAA contains the entire BAA between the parties, and supersedes all prior or contemporaneous BAAs, understandings, or representations with respect to the subject matter hereof. This BAA may be amended only by written BAA of the parties. Business Associate and Covered Entity agree to amend this BAA to the extent necessary to allow both parties to comply with the HIPAA Rules as they may be amended or recodified from time to time, or to comply with other applicable regulations or statutes for the protection of PHI.
- Severability. If any term or provision of this BAA shall to any extent be invalid or unenforceable, the remainder of this BAA shall not be affected thereby and each term and provision of this BAA shall be valid and enforced to the fullest extent permitted by law.
- Conflict: The terms and provisions of this BAA shall supersede any other conflicting or inconsistent terms and provisions in the Terms, including any other attachments thereto and documents incorporated therein by reference.
- Choice of Law and Venue: This BAA shall be construed in accordance with the laws of the State of Ohio, without giving effect to the choice of law provisions thereof. Venue for any action or proceeding related to this BAA shall be in the state or federal courts of the state of Ohio, as appropriate. The parties agree to the personal jurisdiction and venue of such courts.
- Notices. Any notice or report hereunder shall be deemed given if delivered or sent by first class mail, postage prepaid, addressed to the other party at the address set forth in the Terms, or at such other address as designated by the party by written notice, or by commercial delivery service, or by confirmed email or facsimile. If notice is given by mail and the notice affects the other parties' rights hereunder, the effective date of the notice shall be seven (7) days after the date of mailing or the date the notice is received, whichever is earlier.
- Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
- Assignment; Binding Effect: This BAA is personal to Business Associate and Covered Entity and may not be assigned or delegated by either party without the prior written consent of the other party in each instance; provided, however, that in the event of a permitted assignment of the Terms, this BAA may be assigned together with the Terms. This BAA shall be binding upon and shall inure to the benefit of the parties hereto and their respective representatives, successors, and permitted assigns.