Terms

View our Master Services Agreement and Business Association Agreement

Master Services Agreement

THIS AGREEMENT GOVERNS CUSTOMER’S ACQUISITION AND USE OF THE SERVICES. CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN. BY ACCEPTING THIS AGREEMENT, EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.

This Master Services Agreement (this “Agreement”), effective as of the Effective Date, is by and between Provider 1st, LLC, a California limited liability company (“Provider1st”) and Customer. “Customer” means in the case of an individual accepting this Agreement on his or her own behalf, such individual, or in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity and its Affiliates for which such individual is accepting this Agreement which has entered into the Order Form. Customer and Provider1st may each by referred to each as a “Party” together they are referred to as the “Parties”.

WHEREAS, Provider1st supports providers and healthcare organizations through a suite of solutions; and

WHEREAS, Customer desires to retain Provider1st to provide the Services (as defined below), and Provider1st is willing to perform the Services on the terms and conditions hereinafter set forth;

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Provider1st and Customer agree as follows:

1. Definitions.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Effective Date” means the last date each of the Parties has executed the Order Form.

“Order Form” means an ordering document specifying the Services to be provided hereunder that is entered into between Customer and Provider 1st, including any addenda and supplements thereto.

“Services” mean the services set out in an Order Form.

2. Services. Provider1st shall provide to Customer the Services listed in the Order Form, which shall be incorporated into and part of this Agreement. Additional Order Forms shall be deemed issued and accepted only if signed by both Parties.

3. Customer Obligations. Customer shall:

3.1 Designate one of its employees or agents to serve as its primary contact with respect to this Agreement and to act as its authorized representative with respect to matters pertaining to this Agreement (the “Customer Contact”), with such designation to remain in force unless and until a successor Customer Contact is appointed and written notice thereof has been provided to Provider1st.

3.2 Cooperate with Provider1st in its performance of the Services, including, but not limited to requiring that the Customer Contact respond promptly to any reasonable requests from Provider1st for instructions, access to requested records, information, or approvals required by Provider1st to provide the Services.

3.3 Provide access to Customer’s relevant systems, documentation, employees, contractors, subcontractors, software and equipment as required to enable Provider1st to provide the Services.

3.4 Obtain and maintain any necessary patient consent or authorizations necessary in connection with the Services, including securing, verifying and approving written authorizations for the disclosure of medical records and the content, accuracy, or completeness and quality of any and all information shared via Services.

3.5 Provide Provider1st (i) all fees delivered to Customer and processed by Customer with regard to requests for health information that Provider1st administers on Customer’s behalf, (ii) a reconciliation of all fees received by Customer in connection with the foregoing. Customer expressly authorizes Provider1st to collect fees from requesting parties for the processing of medical record requests. Provider1st will collect and retain all fees associated with medical record requests.

3.6 Comply with all applicable laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health (“HITECH Act”), and any other relevant laws and regulations regarding privacy. To the extent applicable, Customer shall comply with the Business Associate Agreement linked in the Order Form and incorporated herein by reference.

4. Fees and Expenses.

4.1 In consideration of the provision of the Services by Provider1st and the rights granted to Customer under this Agreement, Customer shall pay the fees set out in the applicable Order Form. Customer shall also reimburse Provider1st for all reasonable expenses incurred in accordance with any Order Form, including but not limited to any travel, meals, printing, copying, postage or similar expenses. Such fees and expenses will be payable by Customer to Provider1st within thirty (30) days of the date the invoice was sent by Provider1st to Customer.

4.2 Customer shall be responsible for all sales, use and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any federal, state or local governmental entity on any amounts payable by Customer hereunder; and to the extent Provider1st is required to pay any such sales, use, excise, or other taxes or other duties or charges, Customer shall reimburse Provider1st in connection with its payment of fees and expenses as set forth in this Section 4. Notwithstanding the previous sentence, in no event shall Customer pay or be responsible for any taxes imposed on, or regarding, Provider1st’s income, revenues, gross receipts, personnel, or real or personal property or other assets.

4.3 All late payments shall bear interest at the lesser of (a) the rate of 1% per month or (b) the highest rate permissible under applicable law. Customer shall reimburse Provider1st for all costs and expenses incurred in collecting any late payments, including, without limitation, attorneys’ fees. In addition to all other remedies available under this Agreement or at law (which Provider1st does not waive by the exercise of any rights hereunder), Provider1st shall be entitled to suspend the provision of any Services if Customer fails to pay any amounts when due hereunder and such failure continues for thirty (30) days following written notice thereof.

5. Limited Warranty and Limitation of Liability.

5.1 Provider1st warrants that it shall perform the Services in accordance with the terms and conditions set out in this Agreement and the Order Form.

5.2 Provider1st shall use commercially reasonable efforts to promptly cure any such breach; provided, that if Provider1st cannot cure such breach within a reasonable time (but in no event more than thirty (30) days after Customer’s written notice of such breach), Customer may, at its option, terminate the Agreement by serving written notice of termination in accordance with Section 7.2. The foregoing is Provider1st’s sole and exclusive liability and Customer’s sole and exclusive remedy for breach of this warranty.

5.3 PROVIDER1ST MAKES NO WARRANTIES EXCEPT AS EXPRESSLY PROVIDED IN SECTION 5.1 ABOVE. ALL OTHER WARRANTIES, INCLUDING MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WHETHER EXPRESS OR IMPLIED, ARE EXPRESSLY DISCLAIMED.

6. Confidentiality. From time to time during the Term of this Agreement, either Party (as such, the “Disclosing Party”) may disclose or make available to the other Party (as such, the “Receiving Party”), non-public, proprietary, and Confidential Information of Disclosing Party. “Confidential Information” shall mean all technical, financial and business information, business and marketing development plans, customer lists, research plans and/or projections, processes, techniques, designs, technology, ideas, know-how, information about operations and maintenance, trade secrets, information regarding the skills and compensation of employees and contractors, information concerning actual or anticipated business, information or any other information that would reasonably be deemed to be confidential information. Confidential Information does not include any information that: (a) is or becomes generally available to the public other than as a result of Receiving Party’s breach of this Section 6; (b) is or becomes available to the Receiving Party on a non-confidential basis from a third-party source, provided that such third party is not and was not prohibited from disclosing such Confidential Information; (c) was in Receiving Party’s possession prior to Disclosing Party’s disclosure hereunder; or (d) was or is independently developed by Receiving Party without using any Confidential Information. The Receiving Party shall protect and safeguard the confidentiality of the Disclosing Party’s Confidential Information with at least the same degree of care as the Receiving Party would protect its own Confidential Information, but in no event with less than a commercially reasonable degree of care. The Receiving Party may not use the Disclosing Party’s Confidential Information, or permit it to be accessed or used, for any purpose other than to exercise its rights or perform its obligations under this Agreement. Additionally, the Receiving Party may not disclose any such Confidential Information to any person or entity, except to the Receiving Party’s contractors, subcontractors, agents or employees who need to know the Confidential Information to assist the Receiving Party, or act on its behalf, to exercise its rights or perform its obligations under this Agreement. If the Receiving Party is required by applicable law or legal process to disclose any Confidential Information, it shall, prior to making such disclosure, use commercially reasonable efforts to notify Disclosing Party of such requirements to afford Disclosing

Party the opportunity to seek, at Disclosing Party’s sole cost and expense, a protective order or other remedy.

7. Term, Termination, and Survival.

7.1 This Agreement shall commence as of the Effective Date and shall continue thereafter until the completion of the Services under all Order Forms unless sooner terminated pursuant to Section 7.2 or Section 7.3. Each Order Form shall have an initial term of twelve (12) months (“Initial Term”). Upon expiration of the Initial Term, the Order Form shall automatically renew for successive twelve (12) month periods (each, a “Renewal Term”) unless either Party provides the other Party with written notice of its intent not to renew at least ninety (90) days prior to the expiration of the then current term.

7.2 Either Party may terminate this Agreement and any Order Form, effective upon written notice to the other Party (the “Defaulting Party”) if the Defaulting Party:

(a) Materially breaches this Agreement, and the Defaulting Party does not cure such breach within fifteen (15) days after receipt of written notice of such breach, or such material breach is incapable of cure.

(b) Becomes insolvent, is unable, or admits its inability to pay its debts generally as they become due.

7.3 Notwithstanding anything to the contrary in Section 7.2(a), Provider1st may terminate this Agreement or any Order Form for convenience upon thirty (30) days written notice to Customer.

7.4 The rights and obligations of the Parties set forth in this Section 7.4 and in Sections 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 and any right or obligation of the Parties in this Agreement which, by its nature, should survive termination or expiration of this Agreement, will survive any such termination or expiration of this Agreement.

8. Limitation of Liability.

8.1 IN NO EVENT SHALL PROVIDER1ST OR ITS SUPPLIERS, OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS, OR EMPLOYEES BE LIABLE TO CUSTOMER OR TO ANY THIRD PARTY FOR ANY LOSS OF USE, REVENUE, PROFIT, OR LOSS OF DATA, DIMINUTION IN VALUE, OR FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, PUNITIVE OR OTHER DAMAGES, WHETHER ARISING OUT OF BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE AND WHETHER OR NOT PROVIDER1ST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

8.2 IN NO EVENT SHALL THE AGGREGATE LIABILITY OF PROVIDER1ST ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EXCEED $100,000 IN THE AGGREGATE.

9. Customer Indemnification. Customer agrees to indemnify, defend and hold Provider1st harmless from and against any and all losses, liabilities, claims, damages, costs, and expenses

(collectively, “Losses”) arising from or relating to the Services except to the extent such claim or Losses result from a breach by Provider1st of this Agreement.

10. Insurance. During the term of this Agreement, Customer shall, at its own expense, maintain and carry customary and industry standard insurance with financially sound and reputable insurers, in full force and effect that includes, but is not limited to, errors and omissions insurance and commercial general liability insurance in sums no less than $1,000,000 per claim/$3,000,000 in the aggregate. Upon Provider1st’s request, Customer shall provide Provider1st with a certificate of insurance from Customer’s insurer evidencing the insurance coverage specified in this Agreement. The certificate of insurance shall name Provider1st as an additional insured. Customer shall provide Provider1st with thirty (30) days’ advance written notice in the event of a cancellation or material change in any such policies.

11. Non-solicitation. During the Term of this Agreement and for one year thereafter, Customer shall refrain from recruitment of or hiring of Provider1st’s personnel performing any Services hereunder, unless Provider1st agrees to such recruitment or hiring in advance in writing.

12. Entire Agreement. This Agreement, including and together with any related Order Form, the Business Associate Agreement, exhibits, schedules, attachments and appendices, constitutes the sole and entire agreement of the Parties with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, regarding such subject matter. The parties acknowledge and agree that if there is any conflict between the terms and conditions of this Agreement and the terms and conditions of any Order Form, the terms and conditions of the Order Form shall supersede and control. If the BAA conflicts with any of the Order Forms or the terms and conditions of this Agreement, the BAA will control.

13. Notices. All notices, requests, consents, claims, demands, waivers and other communications under this Agreement (each, a “Notice”, and with the correlative meaning “Notify”) must be in writing and addressed to the other Party at its addresses set forth in the Order Form (or to such other address that the receiving Party may designate from time to time in accordance with this Section). Unless otherwise agreed herein, all Notices must be delivered by personal delivery, nationally recognized overnight courier or certified or registered mail (in each case, return receipt requested, postage prepaid). Except as otherwise provided in this Agreement, a Notice is effective only (a) on receipt by the receiving Party; and (b) if the Party giving the Notice has complied with the requirements of this Section 13.

14. Severability. If any term or provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality or unenforceability shall not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction.

15. Amendments. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party.

16. Waiver. No waiver by any Party of any of the provisions of this Agreement shall be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, no failure to exercise, or delay in exercising, any right, remedy, power or privilege arising from this Agreement shall operate or be construed as a waiver thereof, nor shall any single or partial exercise of any right, remedy, power or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power or privilege.

17. Assignment. Customer shall not assign, transfer, delegate or subcontract any of its rights or delegate any of its obligations under this Agreement without the prior written consent of Provider1st. Any purported assignment or delegation in violation of this Section 17 shall be null and void. No assignment or delegation shall relieve the Customer of any of its obligations under this Agreement. Provider1st may assign any of its rights or delegate any of its obligations to any subcontractor or to any affiliate or to any person acquiring all or substantially all of Provider1st’s assets, in each case without Customer’s consent.

18. Successors and Assigns. This Agreement is binding on and inures to the benefit of the Parties to this Agreement and their respective permitted successors and permitted assigns.

19. Relationship of the Parties. The relationship between the Parties is that of independent contractors. The details of the method and manner for performance of the Services by Provider1st shall be under its own control, Customer being interested only in the results thereof. The Provider1st shall be solely responsible for supervising, controlling and directing the details and manner of the completion of the Services. Nothing contained in this Agreement shall be construed as creating any agency, partnership, joint venture or other form of joint enterprise, employment or fiduciary relationship between the parties.

20. No Third-Party Beneficiaries. This Agreement benefits solely the Parties to this Agreement and their respective permitted successors and assigns and nothing in this Agreement, express or implied, confers on any other Person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Agreement.

21. Choice of Law, Venue. This Agreement and all matters arising out of or relating to this Agreement shall be governed by, and construed in accordance with, the laws of the State of California. Venue shall be proper in the appropriate courts located in Orange County, California. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts in Orange County, California.

22. Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement. A signed copy of this Agreement delivered by facsimile, email, or other means of electronic transmission is deemed to have the same legal effect as delivery of an original signed copy of this Agreement.

23. Force Majeure. No Party shall be liable or responsible to the other Party, or be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement (except for any obligations of the Customer to make payments to Provider1st hereunder), when and to the extent such failure or delay is caused by or results from acts beyond the impacted party’s (“Impacted Party”) reasonable control, including, without limitation, the following force majeure events (“Force Majeure Event(s)”): (a) acts of God; (b) flood, fire, earthquake, or explosion; (c) war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot or other civil unrest; (d) government order, law, or actions; (e) embargoes or blockades in effect on or after the date of this Agreement; (f) national or regional emergency; (g) strikes, labor stoppages or slowdowns, or other industrial disturbances; (h) telecommunication breakdowns, power outages or shortages and (i) other events beyond the reasonable control of the Impacted Party. The Impacted Party shall give notice of the Force Majeure Event to the other Party, stating the period of time the occurrence is expected to continue. The Impacted Party shall use diligent efforts to end the failure or delay and ensure the effects of such Force Majeure Event are minimized. The Impacted Party shall resume the performance of its obligations as soon as reasonably practicable after the removal of the cause.

 

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (the “BAA”), is effective as of the date fully executed (the “Effective Date”), and is between Customer (“Covered Entity”) and Provider1st, LLC (“Business Associate”), each a “Party” and collectively the “Parties.” This BAA is entered into to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the related privacy and security provisions of the American Recovery and Reinvestment Act of 2009 (Public Law 111-005, also known as the Health Information Technology for Economic and Clinical Health Act) and the regulations promulgated under each of those statutes, as they may be amended from time to time (collectively “HIPAA”).

WHEREAS, Business Associate provides or will provide certain services to Covered Entity under one or more agreements between the parties (collectively the “Agreement”);

WHEREAS, in providing those services, Business Associate may have access to PHI and may accordingly become a “business associate” of Covered Entity, as that term is defined under HIPAA;

NOW, THEREFORE, in consideration of the mutual promises in this BAA and the Agreement, and the exchange of information pursuant to this BAA, the parties agree as follows:

I. Definitions: Capitalized terms that are used in this BAA and not defined will have the meanings given to them in HIPAA. The below terms have the following meanings (incorporating any amendments to statutory and regulatory references that may occur from time to time):

A. “Breach” has the meaning given to that term under 45 C.F.R. § 164.402, as applied to unsecured PHI created, received, maintained, or transmitted by Business associate from or on behalf of Covered entity.

B. “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.

C. “Data Aggregation” has the meaning given to that term in the Privacy Rule, including but not limited to, 45 C.F.R. § 164.501.

D. “Designated Record Set” has the meaning given to that term in the Privacy Rule.

E. “HIPAA” means collectively the administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as in effect at the time of this agreement, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, the Genetic Information Nondiscrimination Act (“GINA”) and the Reproductive Healthcare Final Rule.

F. “Individual” has the meaning given to such term under 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

G. “Protected Health Information” or PHI”, “ePHI” have the meanings given to such terms at 45 C.F.R. § 160.103, as applied to information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity. PHI and ePHI are collectively referred to as “PHI.” “PHI” consists of and is not limited to health information protected under 45 CFR Part 2 and 45 CFR § 164.502(a)(5)(iii).

H. ‘‘Privacy Rule’’ means the Standards for Privacy of Individually Identifiable Health

Information at 45 C.F.R. Part 160 and Part 164, subparts A and E.

I. “Required by Law” has the meaning given to that term in 45 C.F.R. § 164.103.

J. “Security Incident” has the meaning given to that term in 45 C.F.R. § 164.304, as applied to PHI under this BAA.

K. “Security Rule” means the Security Standard for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and C.

L. “Unsecured PHI” has the meaning given to that term in 42 U.S.C. § 17932(h) and the term “unsecured protected health information” at 45 C.F.R. § 164.402 as applied to PHI under this BAA.

M. “Unsuccessful Security Incident” means a Security Incident that does not result in unauthorized access, use, disclosure, modification or destruction of PHI (including, but not limited to, pings on Business Associate’s firewall, port scans, attempts to log on to a system or enter a database with an invalid username or password and denial- of-service attacks).

II. Permitted Uses and Disclosures:

A. Except as otherwise provided in this BAA, Business Associate may only use or disclose PHI:

i. as reasonably necessary for Business Associate to provide its services under the Agreement;

ii. as Required by Law; and

iii. for Business Associate’s proper management and administration, and to fulfill its legal responsibilities; provided, however, that if Business Associate discloses PHI to a third party for any such purpose, then Business Associate shall obtain reasonable written assurances from the third party that the third party will (i) hold the PHI in confidence and further use or disclose it only as Required by Law or for the purpose for which it was disclosed and (ii) notify Business Associate in writing of any other use or disclosure of the PHI.

B. Business Associate may use PHI to provide Data Aggregation services to Covered Entity for Covered Entity’s healthcare operations.

C. Business Associate may deidentify PHI and use such deidentified data for Business Associate’s internal business purposes, including performance monitoring and benchmarking, and systems training any algorithms and models, the use of which will not confer any rights whatsoever of Business Associate’s tools, property, or systems to Covered Entity or any other party. Re-identification of de-identified data is prohibited by the Business Associate and the terms of this BAA.

III. Other Obligations of Business Associate:

A. Business Associate shall implement and maintain appropriate safeguards to prevent the use or disclosure of PHI in any manner not permitted by this BAA.

B. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any Electronic PHI. Without limiting the forgoing, Business Associate shall comply with the Security Rule.

C. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

D. To the extent Business Associate agrees in writing to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

E. The Business Associate agrees to complete a due diligence questionnaire at the time of signing this Agreement and annually thereafter. Additionally, the Business Associate shall promptly complete an updated questionnaire whenever there are significant changes to their security measures, or any items covered in the due diligence form.

IV. Disclosure to Subcontractors:

A. If Business Associate discloses PHI to any agents or subcontractors, then Business Associate shall obligate each such agent and subcontractor to agree in writing:

i. to the material obligations regarding the use and disclosure of PHI contained in this BAA and

ii. without limiting the forgoing, to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or, through Business Associate, Covered Entity.

V. Reporting of Improper Uses, Disclosures, Breaches and Security Incidents:

A. Business Associate shall notify Covered Entity in writing of any use or disclosure of PHI not permitted by this BAA, including any Breach of Unsecured PHI, within 15 business days of becoming aware of it.

B. Business Associate shall notify Covered Entity in writing of any Security Incident affecting Electronic PHI as required by 45 C.F.R. §164.410 within 5 business days of becoming aware of it(unless precluded by a law enforcement delay pursuant to 45 C.F.R. § 164.512), except that the parties agree that this paragraph constitutes notice by Business Associate to Covered Entity of the ongoing occurrence of attempted but Unsuccessful Security Incidents. Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement of any fault or liability with respect to any use, disclosure, Security Incident, or Breach.

C. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA.

VI. Access to and Amendment of PHI/Accounting of Disclosures:

A. To the extent Business Associate maintains PHI in a Designated Record Set, it shall, within ten business days of receiving a written request from Covered Entity, provide Covered Entity with the PHI in the applicable Designated Record Set(s) to the extent reasonably required:

i. for Covered Entity to provide Individuals with access to PHI in accordance with 45 CFR § 164.524; and

ii. for Covered Entity to respond to a request by an Individual to amend PHI in accordance with 45 C.F.R. § 164.526.

B. If an Individual requests access to PHI directly from Business Associate, or requests that Business Associate amend PHI, then Business Associate shall forward that request to Covered Entity within ten business days of receiving it. Covered Entity will be solely responsible for responding to any such requests.

C. Business Associate shall document any disclosures of PHI that it makes as required by 45 C.F.R. §164.528(a). Within ten business days of receiving a request from Covered Entity,

Business Associate shall provide Covered Entity with any information that Covered Entity reasonably requires to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. §164.528.

VII. Obligations of Covered Entity:

A. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA and other applicable laws if done by Covered Entity.

B. Covered Entity shall only provide Business Associate with PHI that is necessary for Business Associate to provide its services under the Agreement.

C. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI: (i) in Covered Entity’s notice of privacy practices, (ii) resulting from any changes in, or revocation of, permission by an Individual to use or disclose PHI or (iii) to which Covered Entity has agreed, each to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

D. Covered Entity shall use all efforts to avoid any restrictions on the use or disclosure of PHI that would materially impair Business Associate’s ability to perform under the Agreement.

E. Covered Entity hereby warrants that it has obtained legally sufficient permission under HIPAA and other applicable laws to disclose all PHI that it provides to Business Associate under this BAA.

F. Covered Entity shall encrypt all Electronic PHI in transit to Business Associate via AES-256, or another encryption protocol that provides materially equivalent protection.

VIII. Limitation of Liability: NOTWITHSTANDING ANYTHING IN THE AGREEMENT TO THE CONTRARY, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE TOTAL LIABILITY OF BUSINESS ASSOCIATE (AND ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AND OTHER AGENTS) UNDER THIS BAA, WHETHER TO COVERED ENTITY OR ANY THIRD PARTY, WILL NOT EXCEED $100,000 IN THE AGGREGATE. THIS SECTION VIII WILL SURVIVE THE TERMINATION OF THIS BAA.

IX. Access by HHS: Subject to Business Associate’s reasonable confidentiality and security practices, Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.

X. Term: This BAA will become effective on the Effective Date and will remain in effect until all Agreements under which Business Associate may create or receive PHI terminate or expire. At that time, this BAA will automatically terminate.

XI. Termination for Cause: Either party may terminate this BAA for cause if the other party materially breaches it and fails to cure that breach within thirty days of receiving written notice from the non-breaching party. Termination under this Section XI will be effective upon the non-breaching party’s provision of a written termination notice to the breaching party.

XII. Return of PHI Upon Termination: Upon termination of this BAA for any reason, Business Associate shall, if feasible, return or destroy all PHI maintained by Business Associate. If, in Business Associate’s reasonable judgment, return or destruction of PHI is not feasible, then Business Associate shall notify Covered Entity in writing of the reasons that make return or destruction infeasible. Business Associate may then retain any PHI that it is not feasible to return or destroy, provided that Business Associate shall extend the protections of this BAA to such

information and limit further use and disclosure of the affected PHI to those purposes that make the return or destruction infeasible. This Section XII will survive the termination of this BAA.

XIII. Amendment: The parties shall negotiate in good faith to modify this BAA as reasonably necessary to comply with HIPAA, as it may be amended from time to time.

XIV. Agreement; Conflicting Terms: This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any terms of the Agreement, the terms of this BAA will govern.

XV. No Third-Party Beneficiaries: Except as explicitly set forth in Section VIII, this BAA does not confer any rights upon any person or entity other than the parties (and their respective successors and permitted assigns).

XVI. Independent Contractors: The parties intend that their relationship will be that of independent contractors. Neither party may bind the other without the written permission of the party to be bound.

XVII. Notices: The parties shall provide any notices under this BAA to the addresses set forth in the Notices section in the underlying Provider1st Service Agreement between the parties.

XVIII. Modification; Waiver: This BAA may not be modified except in a writing signed by authorized representatives of the parties that explicitly reference this BAA. No waiver of satisfaction of a condition or nonperformance of an obligation under this BAA will be effective unless it is in writing and signed by the party granting the waiver.

XIX. Counterparts: This BAA may be executed in any number of counterparts, each of which shall be deemed an original. Electronic (pdf) copies thereof shall be deemed to be original.