Viera Rev, LLC

DATA MIGRATION SERVICE AGREEMENT

​

This Data Migration Service Agreement the (“AGREEMENT”) is made between Viera Rev, LLC (“SERVICE PROVIDER”) and the Provider/s, and or Medical Practice the (“CLIENT”), together the (“PARTIES”).

​

SERVICE PROVIDER provides certain services related to converting electronic medical records, and or, electronic health records that are maintained by certain healthcare providers, from such provider’s current internal system(s) to a third-party, cloud-based system.

​

CLIENT is a healthcare provider, or practice, that is currently maintaining and storing its electronic medical records, and or, electronic health records within its internal system(s); and

​

CLIENT desires to retain SERVICE PROVIDER, and SERVICE PROVIDER is willing to provide the services set forth in this AGREEMENT, and any Attachments included and incorporated herein by reference to CLIENT.

​

IN CONSIDERATION of the foregoing and the covenants and agreements herein, the PARTIES agree as follows:

 

1. Services

1.1Service Provider shall convert the (“CONVERSION”) certain electronic medical records and electronic health records and related data (collectively, the “RECORDS”) from one Records system platform to another third-party platform the (“SERVICES”). Client acknowledges and agrees that (a) all the Records that are to be converted in accordance with this Agreement, shall be provided to Service Provider via access to Client’s system platform data base. (b) Service Provider is not obligated or responsible to convert any electronic medical record or electronic health record that are not specifically identified by Client. It is agreed upon by the Parties that the third-party system where data will reside once migrated, shall be AdvancedMD, or such other third-party system that is mutually acceptable to the Parties. Client acknowledges and agrees that it is, and shall always be, fully responsible for the contents of the Records, and that Service Provider is only responsible for converting the Records.

1.2Client shall use its best efforts to assist Service Provider in a timely manner, including, without limitation, granting Service Provider access to Client’s systems and Records, immediately responding to Service Provider’s questions or inquires related to the Services, making the Client Representative immediately available to Service Provider, and executing and delivering any documents, agreements, or instruments as requested by Service Provider in order to perform the Services, in Service Provider’s discretion.  

1.3Parties agree to the HIPAA Business Associate Agreement, in the form of agreement attached hereto as Schedule A.

1.4Service Provider may freely engage, in its sole and absolute discretion, any third party, including, without limitation, contractors, subcontractors, affiliates, representatives or agents, to provide any aspect of the Services. 

 

2. Client Obligations - Client shall

2.1Designate an individual to serve as its primary contact with respect to this Agreement, and to act as its authorized representative regarding matters pertaining to this Agreement the (“Client Representative”). The designation shall remain in force, unless and until, a successor Client Representative is appointed. The Client Representative shall have the full power and authority to bind and act on behalf of the Client, including, without limitation, to issue approvals as required. Unless otherwise identified by Client, the name and contact information for the Client Representative is set forth, and identified, within the online Data Migration Registration (“Registration Form”), completed by Client as part of the execution of this Agreement.

2.2Require that the Client Representative respond within twenty-four (24)-hours to any request from Service Provider for instructions, information, or approvals required by Service Provider to provide the Services. Client acknowledges and agrees that cell phone (text, call, or voicemail), or email shall be acceptable forms of communication with the Client Representative.

2.3Cooperate with Service Provider in its performance of the Services, and provide access to Client’s electronic medical records systems, electronic health records systems, premises, property, employees, contractors, and equipment as required to enable Service Provider to provide the Services.

2.4Take all steps necessary, including, without limitation, obtaining any required licenses or consents, to prevent Client-caused delays in Service Provider’s provision of the Services.

​

3. Limited Warranty

3.1Service Provider warrants that it shall perform the Services using personnel of commercially reasonable skill, experience, and qualifications, and in a timely, workmanlike, and professional manner in accordance with generally recognized industry standards for similar services.

3.2Service Provider’s sole and exclusive liability and Client’s sole and exclusive remedy for breach of this warranty shall be as follows: Service Provider shall use reasonable commercial efforts to promptly cure any such breach; provided, that if Service Provider cannot cure such breach within a reasonable time (but no more than sixty (60) days) after Client’s written notice of such breach, Client may, at its option, terminate this Agreement by serving written notice of termination in accordance with Section 6.2. In no event shall Client be entitled to a refund of any portion of the Fee.

3.3Service Provider makes no warranties except for that provided in Section 3.1. All other warranties, express and implied, are expressly disclaimed. Service Provider makes no representation or warranty whatsoever regarding the Services and expressly disclaims all other warranties including any (A) warranty of merchantability; (B) warranty of fitness for a particular purpose; (C) warranty against infringement of intellectual property rights of a third party; whether implied, statutory, arising by law, course of dealing, course of performance, usage of trade, or otherwise. Client acknowledges that it has not relied on any representation or warranty made by Service Provider, or any other person on Service Provider’s behalf, except as specifically provided in Section 3.1.

​

4. Intellectual Property

Service Provider is and shall always be the sole and exclusive owner of its trade secrets, know-how, methodologies, processes, software, inventions, patents, trademarks, and any other of its Confidential Information, whether related to the Services or otherwise.

​

5. Confidentiality

From time to time during the Term of this Agreement, either Party (as the “Disclosing Party”) may disclose or make available to the other Party (as the “Receiving Party”), non-public, proprietary, and confidential information of Disclosing Party, whether orally or in writing (collectively, “Confidential Information”). Both Parties agree to keep such information confidential.

​

6. Term, Termination, and Survival

6.1This Agreement shall commence as of the date established, and digitally documented, upon the completion of the Registration Form, (“Execution Date”).

6.2In addition to any remedies that may be provided under this Agreement, Service Provider may terminate this Agreement, effective upon written notice to Client if the Client: (a) breaches any obligation, term or condition set forth in this Agreement, including, without limitation, any schedule, exhibit, or addendum attached hereto; (b) becomes insolvent or admits its inability to pay its debts as they become due; (c) becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law, which is not fully stayed within seven (7) days, or is not dismissed or vacated within forty-five (45) days after filing; (d) is dissolved or liquidated or takes any corporate action for such purpose; (e) makes a general assignment for the benefit of creditors; or (f) has a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

6.3Any right or obligation of the Parties in this Agreement, will survive any such termination or expiration of this Agreement.

6.4Upon the expiration, or earlier termination of this Agreement, all amounts owed by Client to Service Provider under this Agreement shall become immediately due and payable to Service Provider.

​

7. Limitation of Liability

7.1In entering into this Agreement, Client acknowledges and agrees that the Services will be subject to Service Provider's limitations of liability, and that Client's rights to pursue Service Provider for full actual loss or damages will be limited or prohibited by specific contractual terms or applicable law.

7.2In no event shall Service Provider be liable to Client, or to any third party, for any loss of use, revenue, profit, data, or for any consequential, incidental, indirect, exemplary, special, or punitive damages, whether arising out of breach of contract, tort (including negligence), or otherwise.

7.3In no event shall Service Provider’s aggregate liability arising out of, or related to this Agreement, exceed the aggregate amounts actually paid to, and received by Service Provider under this agreement.

​

8. Non-Disparagement

During the term of this Agreement and continuing thereafter indefinitely, Client shall not take any action, or make any verbal, or written statement which disparages Service Provider, any of its affiliates, or their officers, directors, shareholders, partners or employees. Further, Client will not directly or indirectly release any information or encourage others to make any statements or provide any information designed to embarrass, disparage or criticize Service Provider, any of its affiliates, or their respective officers, directors, shareholders, partners or employees.

​

9. Injunctive Relief

Client hereby acknowledges and agrees that if it repudiates, breaches, or violates any of the covenants set forth in Section 8, or threatens or attempts to do so, Service Provider will suffer immediate and irreparable harm that will not be compensable by damages alone. In addition to, and not in limitation of, any other right or remedy available at law or in equity (each and all of which are expressly reserved), Service Provider shall be entitled to obtain temporary, preliminary and permanent injunctive relief (mandatory and prohibitory) as well as specific performance in a court of competent jurisdiction to prevent or restrain any actual or threatened breach of, or to specifically enforce, any and all of the restrictive covenants therein. For purposes of the preceding, Client hereby irrevocably and unconditionally consents to submit to the venue, and exclusive jurisdiction, of Sumner County, Tennessee for any legal proceedings.

​

10. Indemnification

Client shall, to the fullest extent permitted by law, indemnify, hold harmless, and reimburse Service Provider and its affiliates and their officers, directors, managers, members, employees, contractors, representatives, agents, successors and assigns from and against all losses, damages, liabilities, deficiencies, actions, judgments, interests, awards, penalties, fines, taxes, costs, or expenses of whatever kind (including reasonable attorneys’ fees) arising out of or resulting from Client’s (a) gross negligence or willful misconduct, or (b) breach of any duty, obligation, representation or warranty under this Agreement. This Section 10 shall survive the termination of this Agreement.

​

11. Representations and Warranties

Client represents and warrants that: (a) it has the right and authority to contract with Service Provider for the Services contemplated by this Agreement, (b) the Records are true and correct, (c) Client is the lawful and rightful owner of the Records, and (d) Client has possession of the Records in full compliance with applicable law.

​

12. Entire Agreement

This Agreement, including and together with any related exhibits, schedules, attachments and appendices, constitutes the sole and entire agreement of the Parties with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, regarding such subject matter. The parties acknowledge and agree that if there is any conflict between the terms and conditions of this Agreement and the terms and conditions of any attached schedule, the terms and conditions of the applicable schedule shall supersede and control.

​

13. Notices

All notices, requests, consents, claims, demands, waivers and other communications under this Agreement (each, a “Notice”, and with the correlative meaning “Notify”) must be in writing and addressed to the other Party at its address (or to such other address that the receiving Party may designate from time to time in accordance with this Section). Unless otherwise agreed herein, all Notices must be delivered by personal delivery, nationally recognized overnight courier, certified or registered mail (in each case, return receipt requested, postage prepaid), or by email with delivery confirmation receipt. Except as otherwise provided in this Agreement, a Notice is effective only (a) on receipt by the receiving Party; and (b) if the Party giving the Notice has complied with the requirements of Section 13.

​

14. Severability

If any term or provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality or unenforceability shall not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon a determination that any term or provision is invalid, illegal or unenforceable, the court may modify this Agreement to affect the original intent of the Parties as closely as possible in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

​

15. Amendments

No amendment to or modification of or rescission, termination or discharge of this Agreement is effective unless it is in writing, identified as an amendment to or rescission, termination or discharge of this Agreement and signed by each Party.

​

16. Waiver

No waiver by any Party of any of the provisions of this Agreement shall be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, no failure to exercise, or delay in exercising, any right, remedy, power or privilege arising from this Agreement shall operate or be construed as a waiver thereof, nor shall any single or partial exercise of any right, remedy, power or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power or privilege.

​

17. Assignment

Client shall not assign, transfer, delegate or subcontract any of its rights or delegate any of its obligations under this Agreement without the express prior written consent of Service Provider. Any purported assignment or delegation in violation of this Section 17 shall be null and void. No assignment or delegation shall relieve the Client of any of its obligations under this Agreement.

 

18. Successors and Assigns

This Agreement is binding on and inures to the benefit of the Parties to this Agreement and their respective permitted successors and permitted assigns.

​

19. Choice of Law

This Agreement and all related documents, including, without limitation, the schedules or any other exhibit attached hereto, and all matters arising out of or relating to this Agreement, whether sounding in contract, tort, or statute, are governed by, and construed in accordance with, the laws of the State of Tennessee, United States of America.

 

20. Choice of Forum

Each Party irrevocably and unconditionally agrees that it will not commence any action, litigation or proceeding of any kind whatsoever against the other Party in any way arising from or relating to this Agreement, including all exhibits, schedules, attachments and appendices attached to this Agreement, and all contemplated transactions, including contract, equity, tort, fraud and statutory claims, in any forum other than the courts of Sumner County, Tennessee. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of such courts and agrees to bring any such action, litigation or proceeding only in Sumner County, Tennessee.

 

21. Force Majeure

No Party shall be liable or responsible to the other Party, or be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement, when and to the extent such failure or delay is caused by or results from acts beyond the impacted party’s (“Impacted Party”) control, including, without limitation, the following force majeure events (“Force Majeure Event/s”): (a) acts of God; (b) flood, fire, earthquake, explosion, pandemic, or epidemic; (c) war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot or other civil unrest; (d) government order, law, or actions; (e) embargoes or blockades in effect on or after the date of this Agreement; (f) national or regional emergency; (g) strikes, labor stoppages or slowdowns, or other industrial disturbances; and (h) telecommunication breakdowns, power outages or shortages, lack of warehouse or storage space, inadequate transportation services, supply chain disruptions, or inability or delay in obtaining supplies of adequate or suitable materials; and (i) other events beyond the control of the Impacted Party. 

​

22. Counterparts  

This agreement is predicated, and formerly executed, and digitally documented by CLIENT’s completion of Service Provider’s online Registration Form, or CLIENT’s delivery of executed agreement to Service Provider, via email or standard mail.

 

​

​

SCHEDULE A

HIPAA BUSINESS ASSOCIATE AGREEMENT

​

1.Preamble and Definitions. 

1.1Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), CLIENT (“Covered Entity”) and Viera Rev, LLC / SERVICE PROVIDER, or any of its corporate affiliates (“Business Associate”), enter into this Business Associate Agreement (“BAA”) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

1.2This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in that certain Services Agreement of even date herewith (the “Underlying Agreement”).

1.3Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.

1.4Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.

1.5A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.

2.General Obligations of Business Associate. 

2.1Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required by Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

2.2Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by the BAA.

2.3Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use, or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

 

2.4The Business Associate agrees to the following breach notification requirements:

(a)Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within thirty (30) calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.

(b)In the event of Business Associate’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.

2.5Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

2.6Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

(a)Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.

(b)Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).

(c)Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

2.7Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

2.8Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

2.9Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Section 1.5).

2.10To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

2.11Business Associate agrees to account for the following disclosures:

(a)Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

(b)Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

(c)Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested from Covered Entity.

(d)In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.

2.12Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.

2.13Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

3.Permitted Uses and Disclosures by Business Associate.

3.1General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in Section 5), and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.

3.2Business Associate may use or disclose PHI as Required by Law.

3.3Business Associate agrees to make uses and disclosures and requests for PHI: consistent with Covered Entity’s Minimum Necessary policies and procedures.

3.4Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.

4.Obligations of Covered Entity.

4.1Covered Entity shall:

(a)Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.

(b)Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.

(c)Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

4.2Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.

5.Compliance With Security Rule.

5.1Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

5.2In accordance with the Security Rule, Business Associate agrees to:

(a)Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;

(b)Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and

(c)Report to the Covered Entity any Security Incident of which it becomes aware.

6.Indemnification.

The parties agree and acknowledge that except as set forth herein, the indemnification obligations contained under the Underlying Agreement shall govern each party’s performance under this BAA.

7.Term and Termination.

7.1This BAA shall be in effect and coincide with the term of the Underlying Agreement.

7.2Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed sixty (60) days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.

7.3Upon termination of this BAA for any reason, the parties agree that:

Business associate shall destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI.

7.4The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.

8.Miscellaneous.

8.1The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.

8.2The respective rights and obligations of Business Associate under Section 6 and Section 7 of this BAA shall survive the termination of this BAA.

8.3This BAA shall be interpreted in the following manner:

(a)Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

(b)Any inconsistency between the BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.

(c)Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.

8.4This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

8.5This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.

8.6Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the laws of the state of the same internal laws as that of the Underlying Agreement.