Terms and Conditions
All sample collection kits (“Kits”) are manufactured by Spectrum Solutions LLC (“Spectrum”) and provided by Vitagene, Inc. and all laboratory or testing services are performed by RUCDR Infinite Biologics (“RUCDR”), a laboratory certified under the Clinical Laboratory Improvement Amendments (“CLIA”) to perform Molecular-based Laboratory Developed Test for Detection of Nucleic Acid from SARS-CoV-2 Coronavirus (Molecular LDT Covid-19 Authorized Test) tests or testing services (“Lab Services”), under contract with Vitagene, Inc. For purposes of these Terms and Conditions, the Kits and Lab Services are collectively provided by Vitagene, Inc. (“Vitagene”) and referred to as “Services.”
Customer is a licensed healthcare professional or a healthcare facility, which employs or contracts with and provides healthcare services through licensed healthcare professionals, and is qualified to receive Kits and to perform collection or supervise the collection of human specimens for Lab Services from its patients or clients (“Patients”).
Vitagene’s obligation to provide Services to Customer is expressly conditioned on Customer’s acceptance of, and shall be governed by, the following terms and conditions (“Terms”). For purpose of these Terms, Vitagene and Customer are individually a “Party” and collectively “Parties.”
1. Agreement and Acceptance. Upon Customer’s acceptance of a purchase order issued by Vitagene to provide Services (“Purchase Order”) and setting out the scope and price for such Services and other relevant details (or Customer’s acceptance or receipt of the Services covered by a Purchase Order) and Vitagene’s subsequent written confirmation of acceptance thereof (or provision of the applicable Services to Customer), Customer shall be deemed to have placed a legally binding order for the applicable Services subject to the terms of the applicable Purchase Order and these Terms (“Agreement”). The terms of an Agreement may not be amended or modified except by a change order or other writing mutually executed by the Parties. Customer may not cancel or modify an Agreement except as expressly set forth in the applicable Purchase Order or these Terms. For clarity, no order or request by Customer for provision of Services shall be binding upon Vitagene until confirmed by Vitagene in writing, and Vitagene will have no liability to Customer with respect to orders or requests for Services that are not so confirmed. In the event of any conflict between these Terms and a Purchase Order, these Terms shall control, unless explicated otherwise stated in the Purchase Order. No additional or different terms contained in any purchase order, invoice or other ordering document or correspondence between the Parties (including within any acceptance of a Purchase Order by Customer or a purchase order issued by Customer) shall bind either Party or be construed to modify or amend the terms of an Agreement or these Terms and any such additional or different terms are hereby expressly excluded and will be of no force or effect.
2. Services. Vitagene will have no obligation to begin to provide any Services until a Purchase Order has been placed and confirmed by Customer and Vitagene in accordance with Section 1 of these Terms and payment therefor has been received in full by Vitagene. Vitagene will provide Services in accordance with the applicable Purchase Order and these Terms; provided that Customer shall perform its responsibilities as set forth in the applicable Purchase Order and these Terms. Customer agrees that all timelines set forth in an Order are estimates and are not binding on Vitagene. Without limiting the foregoing, to the extent applicable to any Services, the estimated turnaround time for a Services set forth in an Order (if any) shall not be deemed to begin to run until the date on which Vitagene has received from Customer payment in full of all Fees (as defined below) in accordance with the applicable Purchase Order and these Terms.
3. Shipment and Delivery Terms. All Kits will be shipped CIP (Incoterms 2010) to Customer’s, Customer’s designee’s, or Patient’s facility to the delivery address specified in the Purchase Order, or otherwise set forth in writing by the Customer. Except as otherwise stated in the Purchase Order, Vitagene may ship all Kits using the means and carrier of its choice. Kits are deemed shipped and delivered to Customer when tendered by the applicable commercial carrier at Customer’s, Customer designee’s, or Patient’s facility. At such point, title to the Kits passes to Customer and Customer becomes responsible for risk of loss and damage.
4. Corrections and Replacement; Limited Remedies. Customer, Customer designee, or Patient shall visibly inspect the Kits for any non-conformity with the Purchase Order and any visibly noticeable damage within five (5) business days of delivery. Customer shall notify Vitagene of any non-conformity or damages of the delivered Kits as set forth in this Section 4. In the event that Vitagene has not provided Kits in accordance with these Terms or the applicable Agreement, Vitagene agrees, at Vitagene’s election to either (a) provide that certain non-conforming portion of the Kits again, making the necessary corrections or (b) refund the Fees related to that certain portion of the non-conforming Kits (except, in the case where such Kits’ non-conformance is due to causes occurring after shipment in accordance with Section 3). Vitagene’s entire liability and Customer’s exclusive remedy for non-conformance is limited to the remedies set forth in this Section 4. Customer agrees that to obtain any of the aforementioned remedies Customer must (i) notify Vitagene in writing upon discovery that the Services failed to conform to these Terms with a sufficiently detailed explanation of any alleged deficiencies within five (5) days of receipt of Kits and (z) cooperate with Vitagene, as applicable, in replacement of Kits. If Customer does not notify Vitagene of such non-conforming Kits within such five (5) days, the Kits will be deemed accepted and fully conforming and compliant for purposes of these Terms. THE FAILURE OF CUSTOMER TO CONDUCT SPECIMEN COLLECTION OR TO ENSURE DELIVERY OF THE KIT TO RUCDR AS SET FORTH IN SECTION 6 SHALL NOT ENTITLE CUSTOMER OR PATIENT TO A REMEDY UNDER SECTION 4.
5. Laboratory and Testing Services. RUCDR, will perform any laboratory or testing services under this Agreement in accordance with the supplemental terms in Exhibit A.
6. Use of Kits. Customer shall use all Kits (specimen collection kits) in accordance with applicable laws, rules, regulations and governmental policies and in accordance with these Terms. For clarity, Customer shall not (and shall cause others not to) modify, reverse engineer, decompile, deconstruct or disassemble any Kits or any tangible or intangible components thereof. Customer agrees and acknowledges that the Kits are intended solely for human specimen collection by or under the supervision of a qualified healthcare professional solely in the United States in compliance with applicable law. Customer shall ensure that all human specimen collection using the Kits is performed by or under the supervision of a qualified healthcare professional solely in the United States in compliance with applicable law. Customer shall ensure that each and every human specimen collection using the Kits is delivered to RUCDR within twenty-four (24) hours after the time the specimen is collected. UNLESS APPROVED IN WRITING BY VITAGENE, CUSTOMER FURTHER AGREES TO NOT USE OR PERMIT THE USE OF THE KITS FOR ANY SPECIMEN COLLECTION OUTSIDE OF THE SUPERVISION OF A QUALIFIED HEALTHCARE PROFESSIONAL OR OTHERWISE IN VIOLATION OF THIS SECTION. Customer shall be solely responsible for the use of the Kits. Customer acknowledges and agrees that (i) the Kits and the Lab Services are approved pursuant to an Emergency Use Authorization (“EUA”) issued by the US Food and Drug Administration (“FDA”) to RUCDR on April 10, 2020 and (ii) the Parties’ interpretation of the applicable FDA guidance permits them to proceed and use such Services subject to these Terms.
7. Intellectual Property. As between the Parties, each Party shall retain all right, title, and interest in and to its inventions, discoveries, technology, and other developments either existing as of the date of Customer’s request for Services or created outside of the performance of Customer’s applicable Agreement, including all intellectual property rights in and to the foregoing (“Background Intellectual Property”). No rights or licenses in, to or under Background Intellectual Property of a Party are granted or provided hereunder to the other Party, by implication, estoppel or otherwise, except to the extent expressly provided for in these Terms.
Inventorship and authorship shall be determined in accordance United States patent law and United States copyright law, as applicable. Ownership of all right, title, and interest in any inventions, discoveries, technology, and other developments created in performance of an Agreement shall be determined by inventorship and authorship.
8. Price and Other Fees. Customer shall pay Vitagene the price owed for all Services and any other fees and other payments (if any) specified in each Purchase Order (collectively, the “Fees”). The Fees include any shipping, handling, freight, insurance, taxes and customs, which Vitagene is responsible for paying and which, as applicable, Vitagene may add to Customer’s invoice. Vitagene shall not be bound or subject to any other pricing other than the Fees set forth in an Order, regardless of where such other pricing is stated or published.
9. Payment Terms. Except as expressly set forth in a Purchase Order, Customer shall be responsible for paying to Vitagene all Fees in full prior to Vitagene providing any corresponding Services. Except to the extent expressly provided otherwise in an Order or these Terms, all Fees are non-cancelable, non-creditable and non-refundable.
10. Taxes. Vitagene’s Fees do not include applicable taxes. Customer will be responsible for the payment of, and shall pay all, taxes and duties imposed with respect to the Services (and any other performance by Vitagene) under these Terms, including but not limited to sales, use, excise, value-added, business, goods and services, consumption, customs, tariffs, duties, withholding, and other similar taxes or duties, excluding taxes on Vitagene’s net income and employment taxes. The Parties will cooperate in good faith to seek to obtain any legally available reductions or exemptions from such taxes to the extent legally permissible.
11. Confidentiality. “Confidential Information” means any information disclosed by or on behalf of either Party or its representatives to the other Party pursuant to these Terms that is (a) marked “Confidential” or “Proprietary” or (b) otherwise reasonably expected to be treated in a confidential manner under the circumstances of disclosure or by the nature of the information itself. “Confidential Information” does not include (m) any information that is publicly available or becomes publicly available through no action or inaction of the receiving Party; (n) is in the rightful possession of the receiving Party without confidentiality obligations at the time of disclosure by the disclosing Party to the receiving Party as shown by the receiving Party’s then-contemporaneous written files and records kept in the ordinary course of business; or (o) is obtained by the receiving Party from a third party without an accompanying duty of confidentiality and without a breach of such third party’s obligations of confidentiality.
The receiving Party shall (x) use the Confidential Information solely to exercise its rights and fulfill its obligations as set forth in these Terms, (y) shall not disclose Confidential Information to any third parties other than its own employees on a need to know basis who are subject to written obligations of confidentiality and non-use that are at least as protective of Confidential Information as these Terms except with the disclosing Party’s express written consent, and (z) take the precautions the receiving Party employs with respect to protecting its own confidential information of a similar nature to protect Confidential Information. If the receiving Party becomes legally required to disclose any Confidential Information, the receiving Party will disclose only that portion that is legally required to be disclosed and such disclosed information shall maintain its confidentiality protection for all other purposes.
12. Limited Warranty. Subject to the terms of Section 4 with respect to corrections and replacements of Kits, the Services are provided “AS IS” without warranty, representation or guarantee of any kind. EXCEPT AS EXPLICITLY SET FORTH IN THESE TERMS AND CONDITIONS, VITAGENE MAKES NO, AND HEREBY DISCLAIMS ALL, REPRESENTATIONS AND WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE DELIVERABLES OR ANY OTHER SUBJECT MATTER OF THESE TERMS, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT AS WELL AS WARRANTIES REGARDING RESULTS OBTAINED THROUGH THE USE OF ANY PRODUCT AND ANY WARRANTY ARISING FROM A STATUTE OR OTHERWISE IN LAW OR FROM A COURSE OF PERFORMANCE, DEALING OR USAGE OF TRADE, ALL OF WHICH ARE EXPRESSLY DISCLAIMED. IN NO EVENT WILL VITAGENE’S TOTAL LIABILITY FOR BREACH OF ANY WARRANTY EXPRESSLY PROVIDED HEREUNDER EXCEED THE PRICE PAID FOR THE DELIVERABLES AT ISSUE. No description, statement or other content of any person, entity, website or marketing or communications materials will be binding on Vitagene.
13. Indemnification. Customer shall indemnify, defend and hold harmless Vitagene and its directors, officers, employees, and agents (the “Vitagene Indemnitees”) from and against any and all third-party claims brought against any Vitagene Indemnitees to the extent resulting from or caused by: (a) the gross negligence, recklessness or willful misconduct of any Customer indemnitee, Customer designee or Patient, (b) Customer’s, Customer’s designee, or Patient’s use of the Kits or Services contrary to these Terms, including Section 6, or (c) Customer’s breach of its obligations, warranties or representations under these Terms; except in each case to the extent that a claim arises out of or results from the gross negligence, recklessness or willful misconduct of any Vitagene Indemnitee or Vitagene’s breach of its obligations, warranties, or representations under these Terms.
Vitagene shall indemnify, defend and hold harmless Customer and its directors, officers, employees, and agents (the “Customer Indemnitees”) from and against any and all third party claims brought against any Customer Indemnitees to the extent resulting from or caused by: (a) the gross negligence, recklessness or willful misconduct of any Vitagene indemnitee, or (b) Vitagene ’s breach of its obligations, warranties or representations under these Terms; except in each case to the extent that a claim arises out of or results from the gross negligence, recklessness or willful misconduct of any Customer Indemnitee or Customer’s breach of its obligations, warranties, or representations under these Terms.
A Party (the “Indemnitee”) that intends to claim indemnification under this Section 13 shall promptly notify the other Party (the “Indemnitor”) in writing of any claim, complaint, suit, proceeding or cause of action in respect of which the Indemnitee intends to claim such indemnification (for purposes of this Section 13, each a “Claim”), and the Indemnitor shall have the right to control of the defense and/or settlement thereof; provided that the Indemnitee shall have the right to participate, at its own expense, with counsel of its own choosing in the defense and/or settlement of such Claim. The Indemnitor shall not, without the consent of the Indemnitee, enter into any settlement or agree to any disposition that imposes any conditions or obligations on the Indemnitee. The failure to deliver written notice to the Indemnitor within a reasonable period of time after the commencement of any such Claim shall relieve such Indemnitor of any liability to the Indemnitee under this Section 13, solely to the extent such failure is prejudicial to the Indemnitor’s ability to defend such Claim. The Indemnitee under this Section 13, and its employees, at the Indemnitor’s request and expense, shall provide full information and reasonable assistance to Indemnitor and its legal representatives with respect to such Claims covered by this indemnification.
14. Limitation of Liability. WITHOUT LIMITING INDEMNIFICATION OBLIGATIONS UNDER SECTION 13 AND EXCEPT FOR DAMAGES ARISING FROM A BREACH OF SECTIONS 6 OR 11, OR A PARTY’S INTENTIONAL MISCONDUCT, OR FRAUD, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY HEREUNDER FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES OF ANY KIND (INCLUDING BUT NOT LIMITED TO COSTS OF COVER, COST OF PROCUREMENT OF SUBSTITUTE GOODS, LOST PROFITS, LOST DATA, LOSS OF BUSINESS, LOSSES FROM BREACHES OF SECURITY, OR LOSS OF GOODWILL) ARISING FROM OR IN CONNECTION WITH THESE TERMS, REGARDLESS OF ANY NOTICE OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF THE THEORY OF LIABILITY.
EXCEPT FOR A BREACH OF SECTION 6 OR 11, A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 13, OR EITHER PARTY’S INTENTIONAL MISCONDUCT, FRAUD, FRAUDULENT MISREPRESENTATION, OR ANY OTHER LIABILITY THAT CANNOT BE EXCLUDED BY LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY DAMAGES OR OTHER AMOUNTS ARISING OUT OF OR IN CONNECTION WITH THESE TERMS AND CONDITIONS IN EXCESS OF TWO (2X) TIMES THE FEES PAID BY CUSTOMER TO VITAGENE UNDER THIS AGREEMENT.
15. Protected Health Information. The activities under these Terms, including any storage, maintenance, processing, transmission or other use or disclosure of individually identifiable information created or received under these Terms shall be conducted in compliance with all applicable laws and regulations, including without limitation the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and, as applicable, the General Data Protection Regulation (“GDPR”), as each may be amended from time to time, and any current and future regulations promulgated thereunder. Each Party represents and warrants to the other Party that it is in compliance with and will remain in compliance with 42 U.S.C.§ 1320a-7b(b) (commonly known as the Anti-Kickback Statute), 42 U.S.C.§ 1395nn (commonly known as the Stark law), and any other United States and applicable foreign law governing fraud and abuse, kickbacks fee splitting or physician self-referrals, as such provisions may be amended from time to time.
16. Dispute Resolution. In the event of a dispute arising out of or relating to these Terms, either Party shall provide written notice of the dispute to the other Party, in which event the dispute shall be referred to the senior executive officers of each Party for attempted resolution by good faith negotiations within thirty (30) days after such notice is received. Any resolution mutually agreed to by such executive officers in writing shall be binding on the Parties. If such executive officers are unable to resolve any dispute within such allotted thirty (30) day period or such longer period as the Parties may agree, then at the request of either Party, such dispute shall be finally settled by binding arbitration in San Francisco, California under the Rules of Arbitration of the American Arbitration Association, by one (1) arbitrator appointed in accordance with said rules. The arbitrator shall apply the laws of the governing jurisdiction as provided in Section 18, without reference to rules of conflict of law or rules of statutory arbitration, to the resolution of any dispute. Judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Each Party shall pay its own cost and expenses in such arbitration proceeding; provided that the arbitration fees shall be paid equally by the Parties. Notwithstanding anything to the contrary in these Terms, (a) the Parties may apply to any court of competent jurisdiction for preliminary or interim equitable relief, or to compel arbitration in accordance with this Section 16, without breach of this Section 16 and (b) any dispute, controversy or claim relating to the validity, scope, enforceability, inventorship, or ownership of intellectual property rights shall be submitted to a court of competent jurisdiction in the country in which such intellectual property rights were granted or arose.
17. Term and Termination. This Agreement shall commence on the Effective Date and continue until terminated in accordance with the terms set forth in this Agreement. Either Party may terminate this Agreement at any time, with or without cause, upon providing at least thirty (30) days prior written notice to the other Party. This Agreement may be terminated by either Party in the event of a material breach by the other Party, upon the giving of fifteen (15) days written notice setting forth such breach. However, if such breach is cured within such fifteen (15) day period, then such notice will be deemed to be withdrawn. Customer shall pay all amounts outstanding, due and owing under this Agreement as of the effective date of any such of termination. Sections 6, 7 and 11-18 shall survive expiration or termination of the Agreement.
18. Miscellaneous. These Terms and any Exhibits or Attachments contain the entire agreement and understanding between the Parties concerning Services covered by an Agreement and supersede all previous negotiations, discussions and understandings, whether oral or written, between the Parties with respect to such subject matter. No modification or waiver of, addition to, or deletion from, these Terms shall be effective unless reduced to writing and signed by duly authorized representatives of the Parties hereto. These Terms shall be governed by and interpreted in accordance with the laws of the State of California, U.S., without reference to conflicts-of-law principles. Failure or delay by either Party in exercising any right hereunder shall not operate as, or be deemed a waiver of such right or of any other right hereunder, except for violations which, after discussion and agreement by the Parties, are waived in writing. These Terms may not be assigned or otherwise transferred, in whole or in part, by operation of law or otherwise, by either Party without the other Party’s express prior written consent; provided, however, that either Party may assign these Terms without such consent to its (i) affiliates or (ii) successor in interest in connection with any merger, consolidation, reorganization or sale of such Party or all or substantially all of its assets. These Terms shall be binding upon, and inure to the benefit of, the successors, executors, heirs, representatives, administrators and assigns of the Parties hereto. Neither Party shall be liable for damages for any delay arising out of causes beyond their reasonable control, including without limita¬tion acts of God, labor disputes, riots, wars or component shortages. If any provision of these Terms is held to be invalid or unenforceable, the remainder of these Terms shall continue in full force and effect and will be interpreted to reflect the original intent of the Parties.
Supplemental Terms for Laboratory or Testing Services
1 Kits and Services
1.1 The Parties agree and recognize that Customer’s operations include providing clinical services, prescribed by licensed healthcare professionals (each healthcare professional an “Authorized Provider” and each healthcare practice a “Practice”) to individual Patients, consistent with Section 6; and Customer desires to engage Vitagene to provide Kits and arrange for Lab Services for Authorized Providers as set forth on Purchase Order.
1.2 Vitagene will access and process all requisitions from Customer’s Authorized Providers and applicable Patient information through an interface with the Vitagene’s technology portal, or such other manner as instructed by the Vitagene, pursuant to Section 6. If Vitagene detects any issues with the matching of specimens to the list of requisitions, Vitagene will promptly contact Customer. This will include issues of mismatches or obvious sample problems detected during accessioning.
1.3 Customer shall ensure that each and every human specimen collection using the Kits is delivered to RUCDR within twenty-four (24) hours after the time the specimen is collected.
1.4 Subject to Section 6 of the Terms, Customer shall ensure that each requisition or other order is completed by an Authorized Provider and shall maintain a list of the name(s) and any and all state license number(s) for all Authorized Providers ordering Services on behalf of Practice and any Patient pursuant to this Agreement.
1.5 Under this Agreement and at all times in accordance with the Terms, Vitagene will provide to Customer or distribute as designated by the Kits supplied by Spectrum as set forth in the Purchase Order and all associated supplies as permitted by applicable law to be used solely for the collection of specimens that are to be tested by RUCDR.
Results, Records and Laboratory Data
2.1 Vitagene, through RUCDR, will provide all results from Services performed (“Test Report” or “Test Reports”) in the manner agreed mutually agreed to by the Parties. Vitagene will provide Test Reports to Customer no later than three (3) days after receipt of the Kit by RUCDR.
2.2 Vitagene agrees to direct RUCDR to maintain records in such form and for such duration as may be required by federal, state and local statutes and regulations. Customer and Vitagene agree that clinical records of Patients related to the ordering of laboratory tests and/or the Test Reports performed by RUCDR (collectively the “Data”) shall be regarded as confidential and both Parties and any third party with whom they share the Data shall comply with all applicable federal and state laws and regulations and any authorization granted by the Patient regarding the use and disposition of such Data. The provisions of this paragraph shall survive termination of the Agreement and this Exhibit.
2.3 Customer agrees to permit Vitagene to request authorization from Patients to disclosure Data to Vitagene and its affiliates, channel partners, agents, contractors, and others for commercial purposes unrelated to the Services. Vitagene shall not condition the provision of Services on Patient’s grant of authorization.
3 Logos/ Publicity
3.1 Except in connection with applicable law, regulation, or court order, neither Party shall or permit anyone else to use the name or logo of the other Party and shall not originate any publicity, news release, or other public announcement, whether written, oral or via the Internet, relating to the other Party, the Agreement, any amendment hereto, any prices quoted herein or to any performance hereunder, without the prior written approval of the other Party.
4.1 Vitagene and Customer agree to maintain industry standard and commercially reasonable liability insurance in amounts adequate to cover their respective acts and omissions.
4.2 Vitagene and Customer agree to furnish each other with a current and valid Certificate of Insurance, or proof of adequate self-insurance, evidencing their general liability and professional liability insurance coverage. Any material modification or alteration in such coverage shall be promptly communicated to the other Party.
5 Compliance with Law
HIPAA Business Associate Agreement
1. PREAMBLE AND DEFINITIONS.
1.1 Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ( “HIPAA” ), the customer ( “Covered Entity” ) and Vitagene, Inc., or any of its corporate affiliates ( “Business Associate” ), a Delaware corporation, enter into this Business Associate Agreement ( “BAA” ) as of today’s date (the “Effective Date” ) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 ( “HIPAA Rules” ). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.1.2 This BAA is intended to set forth the safeguards that Business Associate will establish and implement for the Protected Health Information ( “PHI” ) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the service agreement that the parties hereto have entered into on or about the Effective Date (the “Underlying Agreement” ).
1.3 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act” ) and under the American Recovery and Reinvestment Act of 2009 ( “ARRA” ), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.
1.4 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
1.5 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule” ) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.
2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.
2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.2.2 Business Associate agrees to use reasonable safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.
2.3 Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within 45 calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply with Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
2.4 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
2.5 Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.
(a) Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.
(b) Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
2.6 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.
2.7 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.
2.8 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Section 8).
2.9 To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
2.10 Business Associate agrees to account for the following disclosures:
(a) Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(b) Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
(c) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) ( “EHR” ) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the 3 years prior to the date on which the accounting is requested from Covered Entity.
2.11 Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
2.12 Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
3.1 General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in Section 5); provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.3.2 Business Associate may use or disclose PHI as Required By Law.
3.3 Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.
3.4 Specific Other Uses and Disclosures:
(a) Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation Services as permitted by HIPAA.
4. OBLIGATIONS OF COVERED ENTITY.
4.1 Covered Entity shall:(a). Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.
(b) Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.
(c) Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.
4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.
5. COMPLIANCE WITH SECURITY RULE.
5.1 Effective April 20, 2005, Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.5.2 In accordance with the Security Rule, Business Associate agrees to:
(a) Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;
(b) Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
(c) Report to the Covered Entity any Security Incident of which it becomes aware.
6. LIMITATION OF LIABILITY.
NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE RELATING TO OR ARISING FROM THE PERFORMANCE OR BREACH OF OBLIGATIONS SET FORTH IN THIS AGREEMENT, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.
7. TERM AND TERMINATION.
7.1 This BAA shall be in effect as of the Effective Date, and shall terminate on the earlier of the date that:
(a) Either party terminates for cause as authorized under Section 7.2.
(b) All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to CoveredEntity. If it is not feasible to return or destroy PHI, protections are extended in accordance with Section 7.3.
7.2 Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed 30 days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.
7.3 Upon termination of this BAA for any reason, the parties agree that:
Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
(a) Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.
(b) Return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form.
(c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.
(d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at paragraphs (2) and (3) above under “Specific Other Uses and Disclosures” which applied prior to termination.
(e) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
7.4 The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.
8.1 The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules, and any other applicable law.
8.2 The respective rights and obligations of Business Associate under Section 6 and Section 7 of this BAA shall survive the termination of this BAA.
8.3 This BAA shall be interpreted in the following manner:
(a) Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
(b) Any inconsistency between the BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.
(c) Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.
8.4 This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
8.5 This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned by the Covered Entity, in whole or in part, without the written consent of the Business Associate. Any attempted assignment in violation of this provision shall be null and void.
8.6 This BAA may be executed in two or more counterparts, each of which shall be deemed an original.
8.7 Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the laws of the State of California, without regard to the principles of conflicts of law.
By signing or acknowledging this authorization electronically, I agree to its terms and representations.
Signature: acknowledged electronically or in writing
Date: June 30, 2020