LICENSE AGREEMENT
Revised October 16, 2024
This License Agreement (“Agreement”) is a legally binding contract between you (“Licensee”, “you” or “your”) and Fullsteam Software Holdings LLC DBA Eye Cloud Pro (“Licensor,” “we” or “our”). You acknowledge that you have read this Agreement and understand it and that by accessing, viewing or using the Eye Cloud Pro all-in-one optometry software (“Software”) you agree to be bound by its terms and conditions. If you do not wish to be bound by the terms and conditions of this Agreement, do not access, view, or use our Software and/or services.
- Grant of License.
- Grant to Licensee. Subject to the terms and conditions of this Agreement, Licensor grants to Licensee a non-exclusive, non-transferable license to electronically access and use the Software in connection with its business operations at the Licensed Locations (as defined in Section 2 below). Licensee does not acquire any rights in the Software or services, express or implied, other than those expressly granted in this Agreement and all rights not expressly granted to Licensee are reserved by Licensor and its third-party service providers (“Third-Party Service Providers”). Licensee acknowledges and agrees that Licensor or its Third-Party Service Providers shall own all right, title and interest in and to all intellectual property rights in the Software and services and any suggestions, enhancement requests, feedback, or recommendations provided by Licensee or its users relating to the Software or services.
- Grant to Licensor. Subject to the terms and conditions of this Agreement, Licensee grants to Vendor and Third-Party Service Providers the non-exclusive, nontransferable worldwide right to copy, store, record, transmit, display, view, print or otherwise use (a) all data, files, documents, and other information that Licensee uploads to or transfers in or through the Software or provides in the course of using the Service (“Licensee Data”) to the extent necessary to provide the Software and exercise any rights and obligations hereunder. Licensee acknowledges and agrees that Licensee Data and information regarding Licensee and Licensee’s users that is provided to Vendor and its Third-Party Service Providers in connection with this Agreement may be (a) processed by Vendor and its Third-Party Service Providers to the extent necessary to provide the Service and (b) transferred outside of the country or any other jurisdiction where Licensee and Licensee’s users are located. In addition, Licensee acknowledges and agrees that it is Licensee’s obligation to inform Licensee’s users and customers of the processing of Licensee Data and information regarding Licensee and Licensee’s users pursuant to this Agreement and to ensure that such users and customers have given any necessary consent to such processing as required by all applicable data protection legislation. Licensee shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and copyright of all Licensee Data and information regarding Licensee and Licensee’s users. Licensee agrees that the license to the Licensee Data shall survive termination of this Agreement solely to exercise Licensor’s rights and obligations in accordance with the terms of this Agreement.
- License Fee; Non-Integrated Payment Processing Fee; Payment; Licensed Locations.
- The License Fee shall be due and payable monthly, in advance, on the first day of each calendar month, provided that the first month’s License Fee shall be pro-rated based on the number of remaining days in the calendar month after the Effective Date.
- The license hereunder is granted with respect to the physical store location(s) set forth on your Order Form. Each such location, together with any successor location resulting from a relocation, a “Licensed Location”.
- Licensee must be enrolled in and processing payments through Licensor’s integrated payments processing tool within the earlier of (i) sixty (60) days after the effective date of their Order Form for first-time Licensee use of Software hereunder, or (ii) thirty (30) days after the Effective Date of this Agreement. Unless Licensor determines in its sole discretion that Licensee qualifies for a temporary or ongoing exemption, Licensor may charge a non-integrated payment processing fee if Licensee does not process payments through Licensor’s integrated payment solution within the required timeframe. Applicable Non-Integration payment processing fees shall be charged a minimum (subject to increases and any other applicable fees) of: (i) $200/month/site for Eye Cloud Pro, (ii) $200/month/site for Eye Cloud Retail, and (iii) $150/month/site for Eye Cloud Doctor. Licensor reserves the right to apply such fee in its sole discretion, and to apply, modify, increase, decrease the Non-Integration Payment Processing fee at any time subject to revision here in and posting of a revised Agreement pursuant to Section 13.10.
2.4 Licensee shall be solely responsible for and agrees to pay any and all sales, use, communications, excise, or similar tax or duty, and any other tax not based on Licensor’s net income.
- Reservation of Rights and Ownership. The Software is licensed not sold, and Licensor reserves all rights not expressly granted to Licensee in this Agreement. Title to the Software (including any modifications or enhancements thereto) and all related documentation shall remain at all times vested in Licensor. All applicable rights to patents, copyrights, trademarks, and trade secrets in the Software, including any modifications or enhancements made at Licensee’s request or otherwise, are and shall remain vested in Licensor. No right or license shall be implied by estoppel or otherwise, other than the rights and licenses expressly granted in this Agreement. Licensor shall retain all ownership right, title, and interest in the Software.
- Licensor’s Obligations.
- Maintenance of Software, Servers, and other Equipment. Licensor shall maintain the Software and the database servers, web servers, backup devices, routers and other equipment associated with the Software. Notwithstanding the foregoing, Licensee agrees that from time to time the Software may be inaccessible or inoperable for any reason, including, without limitation: (i) equipment malfunctions; (ii) periodic maintenance procedures or repairs which Licensor may undertake from time to time; or (iii) causes beyond the control of Licensor or which are not reasonably foreseeable by Licensor. Licensor uses commercially reasonable efforts to implement and maintain safeguards designed to maintain the confidentiality and integrity of the customer account data stored on Licensor’s servers, which may include conducting routine system maintenance and monitoring.
- Support, Training, and Customizations. Licensor and Licensee will determine the best method for training Licensee’s staff. For onsite training, the Licensee will pay a per training day charge, in addition to the cost of transportation and lodging. Licensor will provide technical support through the website and/or via telephone, at no charge, during normal business hours, or at such other times and methods as deemed appropriate in Licensor’s sole discretion. Licensee may request customizations or content changes to the Software at our standard per hour rate. All updates, revisions and new modules (excluding Licensee-requested customizations or content changes) will be provided at no additional cost to Licensee. Licensee agrees that Licensor has no obligation to make updates, revisions or new modules.
- Licensee’s Obligations.
- Only for Licensee’s Use. Licensee shall use the Software only for Licensee’s own internal use to operate or monitor the Licensed Locations, and only by authorized managers, partners, employees and contract personnel of Licensee. The Software may be used either at the Licensed Locations or can be accessed remotely.
- Responsibility for Use. Licensee is solely responsible for the selection and maintenance of the computer equipment appropriate to Licensee’s need, proper use of the Software by authorized personnel, measures to prevent loss of employee passwords and unauthorized access to the Software, and all other matters under its control. Further, Licensee is solely responsible for ensuring that it utilizes the Software in a manner that complies with local, state, and federal laws, rules and regulations. This includes, but is not limited to, compliance with applicable email and telemarketing laws such as the CAN-SPAM Act and Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, the EU ePrivacy Regulation, and comparable state laws. Moreover, Licensee represents and warrants that each person to whom an email and/or text message is to be sent has specifically granted Licensee permission to do so by whatever technology Licensee chooses; and opt-outs are provided pursuant to applicable law, rule or regulation. Moreover, Licensee will abide by Title III of the Americans with Disabilities Act (“ADA”) and New York’s state and city level Human Rights Act, and California’s Unruh Civil Rights Act and Consumer Privacy Act.
- No Modification of Software. Licensee shall not modify the Software in any manner whatsoever. Licensee agrees it will not decompile, disassemble, or attempt in any way to reverse engineer the Software or develop a competing product based on the Software. Any modifications or enhancements made to the Software, including all copyrights, patentable or unpatentable subject matter and trade secret as shall be owned by Licensor and Licensee hereby assigns all its right, title and interest in any such modifications to Licensor. Licensee’s obligations under this subpart shall survive any termination of this Agreement.
- Confidentiality. Licensee will permit no portion of the Software to be duplicated, rented, loaned, sublicensed, transferred, copied or possessed (whether by sale, exchange, gift or otherwise) or disseminated to any third-party without the prior written consent of Licensor. Licensee will take all reasonable steps to safeguard the Software and to prevent unauthorized persons from having access to same.
- PCI Compliance. Licensee is solely responsible for compliance with applicable PCI-DSS requirements; Licensor has no obligation to assist with PCI-DSS requirements in any way. Any assistance provided by Licensor, or by Licensor’s employees, contractors, agents, representatives or other related persons, at the request of Licensee, is provided without warranty or liability.
- DISCLAIMER OF WARRANTIES. THE SOFTWARE IS PROVIDED “AS-IS,” WITH ALL FAULTS, AND WITHOUT WARRANTY OF ANY KIND. LICENSOR SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT, QUALITY OF INFORMATION, AND TITLE/NON-INFRINGEMENT. LICENSOR MAKES NO REPRESENTATION OR WARRANTY THAT THE SOFTWARE WILL BE SECURE OR FREE FROM BUGS, VIRUSES, INTERRUPTION, ERRORS, IDENTITY THEFT, THREAT OF HACKERS OR OTHER PROGRAM LIMITATIONS. LICENSOR FURTHER EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE RELATED TO ANY CONFIGURATION, REPAIR, UPDATE, INSTALLATION OR OTHER WORK DONE ON THE LICENSEE’S PREMISES BY AN EMPLOYEE, CONTRACTOR, AGENT, OR OTHER THIRD-PARTY OF OR UNDER CONTRACT WITH LICENSOR.
- LIMITATION OF LIABILITY AND DAMAGES. IN NO EVENT SHALL LICENSOR BE LIABLE TO LICENSEE OR ANY THIRD-PARTY FOR ANY SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, INCLUDING BUT NOT LIMITED TO ANY DAMAGES RESULTING FROM LOSS OF USE, LOSS OF DATA, LOSS OF PROFITS OR LOSS OF BUSINESS, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL LICENSOR’S LIABILITY FOR ANY DAMAGES TO LICENSEE OR ANY OTHER PERSON EVER EXCEED, IN THE AGGREGATE, THE ACTUAL LICENSE FEES LICENSEE PAID FOR USE OF THE SOFTWARE, REGARDLESS OF ANY FORM OF THE CLAIM.
- If the Software becomes, or in Licensor’s opinion is likely to become, the subject of an infringement or misappropriation claim, Licensor may, at its option and expense, (a) procure for the Licensee the right to continue using the Software, (b) replace or modify the Software with Software that that provides substantially the same functionality, features, and performance so that it becomes non-infringing, or (c) if neither of the foregoing actions is commercially feasible, terminate this Agreement with respect to the infringing material and refund to Licensee a pro-rata refund of the license fees paid for under the Agreement for the terminated portion of the Term.
Licensee will indemnify, defend and hold harmless Licensor and its parents, affiliates, subsidiaries, officers, employees, directors, shareholders, and agents from and against any and all third-party claims arising out of or pertaining to Licensee’s (i) modification of the Software; (ii) Licensee’s business or operations; or (iii) Licensee’s use of the Software in a manner that violates any local, state, or federal laws, rules or regulations.
- Use of Data.
- Licensor shall maintain the security of Personal Information, and protect the integrity of Personal Information, pursuant to the Business Associate Agreement between Licensor and Licensee, attached hereto as Exhibit A, with a commercially reasonable degree of care. Licensor shall hold all Personal Information in confidence and shall not use or disclose Personal Information except: (a) as specifically permitted or required by applicable law, regulation, subpoena, or court order; or (b) as expressly permitted in writing by Licensee and/or the applicable patient to which such Personal Information refers or relates as is provided in Licensor’s Privacy Policy (https://www.eyecloudpro.com/privacy-policy), as updated from time-to-time. “Personal Information” means all personally identifiable information referring or relating to a patient or customer that is uploaded to and stored in the Software, which may include, but is not limited to, the patient’s or customer’s name, addresses, telephone numbers, social security number, insurance information, health condition and medical history information and all protected health information as such term is defined in the Health Insurance Portability and Accountability Act of 1996 as amended (“HIPAA”).
- Deidentified Data. You hereby agree and authorize Licensor to de-identify Licensee Data in accordance with the HIPAA Rules to create a de-identified data set. You grant Licensor a nonexclusive, worldwide, paid-up, royalty-free, perpetual and irrevocable right and license to create derivative works of the de-identified data set and to use, copy, process, analyze, execute, reproduce, display, perform, transfer, distribute, and sublicense the de-identified data set and such derivative works in any technology now existing or later developed.
- Term and Termination.
- This Agreement shall commence as of the Effective Date and shall continue unless and until it is terminated pursuant to the provisions set forth in this Agreement.
- Termination. Either party may terminate this Agreement and the license granted hereunder upon thirty (30) days prior written notice to the other party, in which case all License Fees and other charges incurred hereunder shall be paid through to date. Upon termination, Licensee shall immediately cease to access or use the Software, and to the extent applicable, shall immediately delete the Software from all computers, servers, or other computer devices on which the Software is utilized. Notwithstanding the foregoing, Licensee will have the option to have “read only access” to any Licensee data in the Software as of the effective date of termination, after termination, for a monthly fee per Licensed Location. This data access fee shall be due and payable monthly, in advance, on the first day of each calendar month. Notwithstanding the foregoing, if your access to the Software is suspended for non-payment of fees or this Agreement is terminated, Licensor will have no obligation to provide you access or store Your Data.
- Transfer of Customer Data Following Termination. Upon termination of the Agreement for any reason, Licensor shall export and deliver Licensee’s patient demographic data in ASCII delimited text format, via a common media such as a data file or shared via cloud drive. No other data will be exported. Demographic data will consist of customer names, addresses, phones, and email addresses. Licensor will then promptly and permanently delete all such data and any copies thereof from Licensor’s servers and other storage devices (unless Licensee requests “read only access” pursuant to Section 11.2 above). After such removal from Licensor’s servers, Licensee (and/or its third-party vendor, as the case may be) shall have sole custodianship over and responsibility for maintaining and securing such data, and no person or entity (including Licensee) will be able to obtain access to such deleted data from Licensor. Licensor’s obligations are limited to exporting and delivering the data as described in this paragraph, and shall not include any assistance in importing, creating, designing, or building any third-party applications or systems. If any such technical assistance is required by Licensee, Licensee will be invoiced by Licensor at our standard hourly rate for any such assistance rendered by Licensor.
- General Provisions.
- Successors and Assigns. This Agreement shall be binding upon and inure to the benefit of Licensor and Licensee and their respective successors and assigns.
- No Assignment. Licensee may not assign or sublicense, without the prior written consent of Licensor, its rights, duties or obligations under this Agreement.
Notices. Any notice or other communication to be given hereunder shall be in writing and shall be deemed sufficient when (i) mailed by United States certified mail, return receipt requested, (ii) delivered by overnight courier service, or (iii) delivered in person, at the address set forth below, or such other address as a party may provide to the others in accordance with the procedure for notices set forth in this Section. Notices shall be effective upon the date of delivery or refusal of personal delivery, certified mail or courier delivery.
If to Licensor:
Fullsteam Software Holdings LLC DBA Eye Cloud Pro
- Devall Dr Ste #301
Auburn, AL 36832
Attn: Dan Loch
Copy: General Counsel
Email: Charles.Kallenbach@fullsteam.com
If to Licensee: The email address provided by Licensee for invoicing, or any other email or mailing address provided by Licensee in an Order Form..
- Waiver. The waiver or failure of either party to exercise in any respect any right provided under this Agreement shall not be deemed a waiver of any further right under this Agreement.
- Construction. The headings contained in this Agreement are for reference purposes only and shall not control or affect the construction of this Agreement or the interpretation thereof. This Agreement has been jointly prepared by the parties and shall be construed accordingly.
- Severability. Wherever possible, each provision of this Agreement shall be interpreted in such manner as to be effective and valid under applicable law, but if any provision of this Agreement shall be prohibited by or invalid under applicable law, such provision shall be ineffective only to the extent of such prohibition or invalidity, without invalidating the remainder of such provision or the remaining provisions of this Agreement.
- Force Majeure. Except for payment obligations, neither party will be liable for any failure of or delay in performance of its obligations under this Agreement to the extent such failure or delay is due to circumstances beyond its reasonable control, including, without limitation, fires, floods, earthquakes, wars, civil disturbances, accidents, acts of any governmental body, or acts of God (“Force Majeure”). Each party will use its best efforts to minimize the duration and consequences of any failure of or delay in performance resulting from a Force Majeure event.
- Governing Law and Jurisdiction. This Agreement shall be governed by and construed in accordance with the laws of the State of Alabama, without giving effect to applicable principles of conflicts of law to the extent that the application of the laws of another jurisdiction would be required thereby. In case of any dispute related to this Agreement, the Parties agree to submit to personal jurisdiction in the State of Alabama. Furthermore, the Parties hereby irrevocably and unconditionally submit to the exclusive jurisdiction of any municipal, state or federal court in Lee County in the State of for purposes of any suit, action or other proceeding arising out of this Agreement. THE PARTIES HEREBY IRREVOCABLY WAIVE ANY AND ALL RIGHTS TO A TRIAL BY JURY IN ANY ACTION, SUIT OR OTHER PROCEEDING ARISING OUT OF OR RELATING TO THE TERMS, OBLIGATIONS AND/OR PERFORMANCE OF THIS AGREEMENT.
- Third-Party Beneficiaries. This Agreement shall not be construed or deemed to create any rights or privileges, including third-party beneficiary rights, in any person or entity.
- Further Assurances. Each party agrees to execute and deliver all such further instruments and do all such further acts as may be reasonably necessary or appropriate to effectuate this Agreement.
- Amendment of Agreement or Modification of Services. Licensor may, without prior notice, amend this Agreement or modify the Software, including without limitation a change to the fees charged for the Software. Licensee’s continued use of the Software following any change or amendment to this Agreement, or the Software shall be taken as evidence of Licensee’s consent and agreement to the modification and/or amendment. Licensee acknowledges that a posting of the updated agreement at https://www.eyecloudpro.com/terms-of-service shall be deemed adequate notification.
EXHIBIT A
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made and entered into as an integral part of the License Agreement to which it is attached.
- Definitions. Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule, Security Rule, and HITECH Act.
- Agent. “Agent” shall have the meaning as determined in accordance with the federal common law of agency.
- Breach. “Breach” shall have the same meaning as the term “breach” in 45 CFR §164.402.
- Business Associate. “Business Associate” shall mean .
- Covered Entity. “Covered Entity” shall mean the entity so designated above.
- Data Aggregation. “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR §164.501.
- Designated Record Set. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR §164.501.
- Disclosure. “Disclosure” and “Disclose” shall have the same meaning as the term “Disclosure” in 45 CFR §160.103.
- Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term in Section 13400 of the HITECH Act.
- Health Care Operations. “Health Care Operations” shall have the same meaning as the term “health care operations” in 45 CFR §164.501.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- HITECH Act. “HITECH Act” shall mean The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009 (“ARRA” or “Stimulus Package”), specifically DIVISION A: TITLE XIII Subtitle D—Privacy, and its corresponding regulations as enacted under the authority of the Act.
- Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
- Minimum Necessary. “Minimum Necessary” shall mean the Privacy Rule Standards found at §164.502(b) and §164.514(d)(1).
- Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
- Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR §160.103, limited to the information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity.
- Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR §164.103.
- Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
- Security Incident. “Security Incident” shall have the same meaning as the term “Security Incident” in in 45 CFR §164.304.
- Security Rule. “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. parts §160 and §164, Subparts A and C.
- Subcontractor. “Subcontractor” shall mean a person or entity “that creates, receives, maintains, or transmits protected health information on behalf of a business associate” and who is now considered a business associate, as the latter term is defined in in in 45 CFR §160.103.
- Subject Matter. “Subject Matter” shall mean compliance with the HIPAA Rules and with the HITECH Act.
- Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR §164.402.
- Use. “Use” shall have the same meaning as the term “Use” in 45 CFR §164.103.
- Obligations and Activities of Business Associate.
- Business Associate agrees to not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.
- Business Associate agrees to use appropriate safeguards to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement. Business Associate further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, and in a manner as prescribed herein.
- Business Associate agrees to report to Covered Entity any Security Incident, including all data Breaches or compromises, whether internal or external, related to Protected Health Information, whether the Protected Health Information is secured or unsecured, of which Business Associate becomes aware.
- If the Breach, as discussed in paragraph 2(d), pertains to Unsecured Protected Health Information, then Business Associate agrees to report any such data Breach to Covered Entity within ten (10) business days of discovery of said Breach; all other compromises, or attempted compromises, of Protected Health Information shall be reported to Covered Entity within twenty (20) business days of discovery. Business Associate further agrees, consistent with Section 13402 of the HITECH Act, to provide Covered Entity with information necessary for Covered Entity to meet the requirements of said section, and in a manner and format to be specified by Covered Entity.
- If Business Associate is an Agent of Covered Entity, then Business Associate agrees that any Breach of Unsecured Protected Health Information shall be reported to Covered Entity immediately after the Business Associate becomes aware of said Breach, and under no circumstances later than one (1) business day thereafter. Business Associate further agrees that any compromise, or attempted compromise, of Protected Health Information, other than a Breach of Unsecured Protected Health Information as specified in 2(e) of this Agreement, shall be reported to Covered Entity within ten (10) business days of discovering said compromise, or attempted compromise.
- Business Associate agrees to ensure that any Subcontractor, to whom Business Associate provides Protected Health Information, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate further agrees that restrictions and conditions analogous to those contained herein shall be imposed on said Subcontractors via a written agreement that complies with all the requirements specified in §164.504(e)(2), and that Business Associate shall only provide said Subcontractors Protected Health Information consistent with Section 13405(b) of the HITECH Act. Further, Business Associate agrees to provide copies of said written agreements to Covered Entity within ten (10) business days of a Covered Entity’s request for same.
- Business Associate agrees to provide access, at the request of Covered Entity and during normal business hours, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet Covered Entity’s requirements under 45 CFR §164.524, provided that Covered Entity delivers to Business Associate a written notice at least three (3) business days in advance of requesting such access. Business Associate further agrees, in the case where Business Associate controls access to Protected Health Information in an Electronic Health Record, or controls access to Protected Health Information stored electronically in any format, to provide similar access in order for Covered Entity to meet its requirements the HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Business Associate and its employees or Subcontractors have no Protected Health Information in a Designated Record Set of Covered Entity.
- Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526, at the request of Covered Entity or an Individual. This provision does not apply if Business Associate and its employees or Subcontractors have no Protected Health Information from a Designated Record Set of Covered Entity.
- Unless otherwise protected or prohibited from discovery or disclosure by law, Business Associate agrees to make internal practices, books, and records, including policies and procedures (collectively “Compliance Information”), relating to the Use or Disclosure of Protected Health Information and the protection of same, available to the Covered Entity or to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules and the HITECH Act. Business Associate further agrees, at the request of Covered Entity, to provide Covered Entity with demonstrable evidence that its Compliance Information ensures Business Associate’s compliance with this Agreement over time. Business Associate shall have a reasonable time within which to comply with requests for such access and/or demonstrable evidence, consistent with this Agreement. In no case shall access, or demonstrable evidence, be required in less than five (5) business days after Business Associate’s receipt of such request, unless otherwise designated by the Secretary.
- Business Associate agrees to maintain necessary and sufficient documentation of Disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528.
- On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528. Business Associate shall provide said documentation in a manner and format to be specified by Covered Entity. Business Associate shall have a reasonable time within which to comply with such a request from Covered Entity and in no case shall Business Associate be required to provide such documentation in less than three (3) business days after Business Associate’s receipt of such request.
- Except as provided for in this Agreement, in the event Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Business Associate shall redirect the Individual to the Covered Entity.
- To the extent that Business Associate carries out one or more of Covered Entity’s obligations under the HIPAA Rules, the Business Associate must comply with all requirements of the HIPAA Rules that would be applicable to the Covered Entity.
- A Business Associate must honor all restrictions consistent with 45 C.F.R. §164.522 that the Covered Entity or the Individual makes the Business Associate aware of, including the Individual’s right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a).
- Permitted Uses and Disclosures by Business Associate.
- Except as otherwise limited by this Agreement, Business Associate may make any Uses and Disclosures of Protected Health Information necessary to perform its services to Covered Entity and otherwise meet its obligations under this Agreement, if such Use or Disclosure would not violate the Privacy Rule, or the privacy provisions of the HITECH Act, if done by Covered Entity. All other Uses or Disclosures by Business Associate not authorized by this Agreement, or by specific instruction of Covered Entity, are prohibited.
- Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Except as otherwise limited in this Agreement, Business Associate may Disclose Protected Health Information for the proper management and administration of the Business Associate, provided that Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used, or further Disclosed, only as Required By Law, or for the purpose for which it was Disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate agrees that such Data Aggregation services shall be provided to Covered Entity only wherein said services pertain to Health Care Operations. Business Associate further agrees that said services shall not be provided in a manner that would result in Disclosure of Protected Health Information to another covered entity who was not the originator and/or lawful possessor of said Protected Health Information. Further, Business Associate agrees that any such wrongful Disclosure of Protected Health Information is a direct violation of this Agreement and shall be reported to Covered Entity immediately after the Business Associate becomes aware of said Disclosure and, under no circumstances, later than three (3) business days thereafter.
- Business Associate may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j)(1).
- Business Associate shall make Uses, Disclosures, and requests for Protected Health Information consistent with the Minimum Necessary principle as defined herein.
- Obligations and Activities of Covered Entity.
- Covered Entity shall notify Business Associate of the provisions and any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such provisions and limitation(s) may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, and also notify Business Associate regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any modifications to accounting disclosures of Protected Health Information under 45 CFR §164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity shall provide Business Associate, within thirty (30) business days of Covered Entity executing this Agreement, a description and/or specification regarding the manner and format in which Business Associate shall provide information to Covered Entity, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2(e) of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the HIPAA Rules or the HITECH Act, and Business Associate is provided sixty (60) business days notice before the requested modification takes effect.
- Covered Entity shall provide Business Associate, within thirty (30) business days of Covered Entity executing this Agreement, a description and/or specification regarding the manner and format in which Business Associate shall provide information to Covered Entity, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2(l) of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the HIPAA Rules or the HITECH Act, and Business Associate is provided sixty (60) business days notice before the requested modification takes effect.
- Covered Entity shall not require Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.
- Term and Termination.
- Term. The Term of this Agreement shall begin as of the start of the License Agreement and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Agreement.
- Termination for Cause by Covered Entity. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall give Business Associate written notice of such breach and provide reasonable opportunity for Business Associate to cure the breach or end the violation. Covered Entity may terminate this Agreement, and Business Associate agrees to such termination, if Business Associate has breached a material term of this Agreement and does not cure the breach or cure is not possible. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
- Termination for Cause by Business Associate. Upon Business Associate’s knowledge of a material breach of this Agreement by Covered Entity, Business Associate shall give Covered Entity written notice of such breach and provide reasonable opportunity for Covered Entity to cure the breach or end the violation. Business Associate may terminate this Agreement, and Covered Entity agrees to such termination, if Covered Entity has breached a material term of this Agreement and does not cure the breach or cure is not possible. If neither termination nor cure is feasible, Business Associate shall report the violation to the Secretary.
- Effect of Termination.
- Except as provided in paragraph (2) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of Subcontractors of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity, within ten (10) business days, notification of the conditions that make return or destruction infeasible. Upon such determination, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- Entire Agreement.
- This Agreement supersedes all other prior and contemporaneous written and oral agreements and understandings between Covered Entity and Business Associate regarding this Subject Matter. It contains the entire Agreement between the parties.
- This Agreement may be modified only by a signed written agreement between Covered Entity and Business Associate.
- All other agreements entered into between Covered Entity and Business Associate, not related to this Subject Matter, remain in full force and effect.
- Governing Law.
- This Agreement and the rights of the parties shall be governed by and construed in accordance with Federal law as it pertains to the Subject Matter. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to applicable principles of conflicts of law to the extent that the application of the laws of another jurisdiction would be required thereby. In case of any dispute related to this Agreement, the parties agree to submit to personal jurisdiction in the State of Delaware. Furthermore, the parties hereby irrevocably and unconditionally submit to the exclusive jurisdiction of any court of the State of Delaware or any federal court sitting in the State of Delaware for purposes of any suit, action or other proceeding arising out of this Agreement. THE PARTIES HEREBY IRREVOCABLY WAIVE ANY AND ALL RIGHTS TO A TRIAL BY JURY IN ANY ACTION, SUIT OR OTHER PROCEEDING ARISING OUT OF OR RELATING TO THE TERMS, OBLIGATIONS AND/OR PERFORMANCE OF THIS AGREEMENT.
- Miscellaneous.
- Regulatory References. A reference in this Agreement to a section in the Privacy Rule, Security Rule, or HITECH Act means the section as in effect or as amended.
- The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act, and its corresponding regulations.
- The respective rights and obligations of Business Associate under Section 5(d) of this Agreement shall survive the termination of this Agreement.
- Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act, and its corresponding regulations.
- Severability. If any provision or provisions of this Agreement is/are determined by a court of competent jurisdiction to be unlawful, void, or unenforceable, this Agreement shall not be unlawful, void or unenforceable thereby, but shall continue in effect and be enforced as though such provision or provisions were omitted.