This Subscription Agreement consists of these Terms and Conditions and one or more Service Orders. These Terms and Conditions shall apply to each Service Order as executed by and between Intuit Inc. and its wholly-owned subsidiary, Medfusion, Inc., also doing business as Intuit Health ("Intuit"), and Client. All references herein to this Agreement, unless otherwise specified, shall include these Terms and Conditions, any Business Associate Agreement, all schedules, specifications, exhibits, attachments and addenda referenced or appended hereto, and all Service Orders, and all are incorporated herein by reference.
1.1 "Application Services" means hosting and operating an Intuit Application to provide Client with access to and use of such Intuit Application.
1.2 "Authorized Users" means persons authorized by Client (including its employees, Patients and Providers) to access and use the Services who possess an authorized user ID and password and for whom Client has paid the applicable user fees.
1.3 "Consulting Services" shall mean any training, consulting, data migration, conversion, integration, implementation and/or other services provided by Intuit to Client, as described in the Service Order.
1.4 "Content" means all Client Confidential Information, software applications, text, pictures, sound, graphics, video and other data transmitted by Authorized Users using the Services.
1.5 "Intuit Application" means all software and databases used by Intuit to provide the Application Services to Client.
1.6 "Patient" means a person seeking health care and who, prior to using the Application Services, has been determined by Client to have a patient-physician relationship with a Physician in accordance with the applicable requirements of State law and of the applicable State licensure boards.
1.7 "Physician" means a licensed physician that participates in Client's medical practice.
1.8 "Provider" means a provider of medical or health services, including, but not limited to a Physician, a physician assistant, nurse, physical therapist or psychotherapist.
1.9 "Service Order" means the written description of the Services to be provided by Intuit to Client that is executed by Client and Intuit and expressly refers to this Agreement.
1.10 "Services" means the Application Services, Consulting Services and any other services identified in Section 2.1 of this Agreement.
2.1 Services. Intuit shall use commercially reasonable efforts to provide the Services in accordance with the terms and conditions of this Agreement. In the event of any conflict between the body of this Agreement and a Service Order, the terms and conditions set forth in the body of this Agreement shall govern. The Services shall include: (i) the provision of technical support to Authorized Users via email during Intuit's regular business hours, in accordance with Intuit's then-current technical support policies and (ii) Intuit's then-current online training. Client's Provider's and employees shall complete such training prior to their use of the Application Services. Upon Client's request, Intuit may provide additional technical support at Intuit's then-current hourly rates, subject to the execution of a mutually agreed upon Service Order.
2.2 Security. Intuit has implemented commercially reasonable security measures to prevent unauthorized access to computer hardware and other equipment and/or software possessed and used by Intuit to provide the Application Services. Client shall be solely responsible for the security of the Client Operating Environment.
2.3 Intuit Application Changes. Intuit may from time to time develop enhancements, upgrades, updates, improvements, modifications, extensions and other changes to the Application Services ("Intuit Application Changes"). Client hereby authorizes Intuit to implement such Intuit Application Changes for use with the Application Services, provided that such Intuit Application Changes do not have a material adverse effect on the functionality or performance of the Application Services. When commercially practicable, Intuit shall notify Client in advance of the implementation of any material Intuit Application Changes.
2.4 Cooperation; Access. Client acknowledges that the successful and timely rendering of the Services shall require the good faith cooperation of Client. Intuit shall not be liable for any failure to perform the Services that arises from Client's failure to cooperate with Intuit.
2.5 Special Terms. The Application Services provided to Client shall be subject to any specific limitations set forth in the Service Order, including limitations on bandwidth and data storage.
3. USE OF THE APPLICATION SERVICES.
3.1 Intuit License. Intuit hereby grants to Client a nontransferable, non-exclusive, license during the term of this Agreement, to allow Authorized Users to access and use, over public and private networks, the Application Services for its medical practice and not for use by any third party practice. The number of Providers accessing the Application Services shall not exceed the number of Providers purchased by Client, as indicated in the Service Order. Client shall notify Intuit in writing in the event it wishes to increase the number of Providers. Upon receipt of such notice, Intuit shall increase the number of Providers at Intuit's then-current rates. Client may, upon ninety (90) days' written notice, reduce the number of Providers by up to ten percent (10%) during each Term of this Agreement.
3.2.1 Intuit owns all right, title and interest in and to the Application Services and Intuit Application. The Application Services are provided to Client for use only as expressly set forth in this Agreement, and Client will not use the Application Services in whole or in part for any other use or purpose. Client will not, and will not allow any third party to (i) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques or algorithms of the Intuit Application by any means, or disclose any of the foregoing; (ii) except as expressly set forth in this Agreement, provide, rent, lease, lend, or use the Intuit Application for timesharing, subscription, or service bureau purposes; or (iii) sublicense, transfer or assign this Intuit Application or any of the rights or licenses granted under this Agreement.
3.2.2 Client shall not use the Application Services for storage, possession, or transmission of any information, the possession, creation or transmission of which violates any state, local or federal law, including without limitation, those laws regarding stolen materials, obscene materials or child pornography.
3.2.3 Client shall not transmit Content over the Application Services that infringes upon or misappropriates the intellectual property or privacy rights of any third party.
3.2.4 Client understands the Application Services stream-line the normal operations of a medical practice and that the Application Services are not designed for medical emergencies. Client agrees to inform its Patients that this service is not designed for emergency use.
3.2.5 Intuit and Client agree that only appropriately licensed Providers shall assess, diagnose, and recommend treatment for Patients. Client acknowledges and agrees that Intuit is not engaged in the practice of medicine through the provision of the services contemplated herein. Client shall take all actions required to ensure that its use of the Application Services is in compliance with all applicable laws, rules, regulations and professional standards. Client shall be solely responsible for verifying the identity and authenticity of Authorized Users. Neither party shall interfere with, control, or otherwise influence the physician-patient relationship established between a Physician and a Patient. Client shall take all reasonable precautions to ensure that the Application Services are utilized by its Authorized Users in a manner consistent with applicable ethical and legal requirements. INTUIT SHALL HAVE NO OBLIGATION, RESPONSIBILITY OR LIABILITY FOR ANY PHYSICIAN'S PROVISION OF PROFESSIONAL SERVICES.
3.2.6 Nothing in this Agreement shall be construed as an offer for payment by one party to the other party or any affiliate of the other party of any cash or other remuneration, whether directly or indirectly, overtly or covertly, for Patient referrals or for recommending or for arranging, purchasing, leasing or ordering any item or service.
3.3 Client Content. Client hereby grants to Intuit a worldwide, non-exclusive, fully paid-up license to use, copy, modify, enhance, display, publish, distribute, create derivative works of and otherwise use the Content in any manner reasonably necessary to perform the Services. Client represents and warrants that it has all rights necessary to grant Intuit the foregoing license. Client further represents and warrants that Client owns or all right, title and interest in and to the Content or has a license granting it the rights necessary to permit it to grant the foregoing license. If Client licenses any Content, it shall not provide such Content to Intuit until it provides Intuit with a copy of the license.
4.1 Fees. Client agrees to pay Intuit for the performance of the Services in accordance with the rates and fees specified in the Service Order. On each one year anniversary of a Service Order, Intuit may increase the rates and fees set forth in such Service Order by up to the annual percentage change reflected in the twelve (12)-month non-seasonally adjusted CPI-U, U.S. City Average published by the U.S. Bureau of Labor Statistics and found on the website: http://www.bls.gov/cpi/. Intuit shall give Client notice of such increase prior to its effective date. Unless otherwise set forth in the Service Order, all payments shall be made in United States dollars no later than thirty (30) days after the date of invoice. All payments not received when due shall accrue interest at a rate per month of one and one-half percent (1.5%). Client may dispute all or part of any invoice in good faith by providing Intuit with written notice of such dispute within thirty (30) days after the receipt of such disputed invoice.
4.2 Taxes. The fees payable under this Agreement shall not include local, state or federal sales, use, value-added, excise or personal property or other similar taxes or duties now in force or enacted in the future imposed on the transaction and/or the delivery of the Services, all of which Client shall be responsible for and pay in full except those taxes based on the net income of Intuit.
5. TERM AND TERMINATION.
5.1 Term. Unless earlier terminated in accordance with its terms, each Service Order will have the initial term set forth in the Service Order (the "Initial Term"). Unless otherwise set forth in a Service Order, upon the expiration of each Initial Term, the term of a Service Order will renew automatically for additional terms of one (1) year each ("Renewal Term", and together with the Initial Term, the "Term"), unless either a party notifies the other party, at least ninety (90) days prior to the end of the then-current Term that it has elected to terminate such Service Order, in which event such Service Order will terminate at the end of such Term. Unless earlier terminated in accordance with its terms, this Agreement will expire on the date the last Service Order then in effect expires or is terminated pursuant to the terms and conditions set forth in this Agreement.
5.2 Termination for Cause. Except as otherwise provided herein, either party may terminate this Agreement upon the material breach of the other party, if such breach remains uncured for thirty (30) days following written notice to the breaching party.
5.3 Effect of Termination. Upon the expiration of this Agreement Intuit will terminate Client's access to the Application Services and will cease the provision of all Services.
6. WARRANTIES; DISCLAIMER
6.1 Intuit hereby warrants that during the term of this Agreement, the Application Service will perform, in all material respects, in accordance with its then-current published functional specifications. In the event of any failure of the Application Services to perform in a material respect to such specifications, Intuit will, as Client's sole and exclusive remedy for such failure, repair the applicable Application Service.
6.2 DISCLAIMER OF WARRANTIES. EXCEPT AS SET FORTH IN SECTION 6.1, INTUIT MAKES NO WARRANTIES REGARDING THE SERVICES, AND INTUIT HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, WITH RESPECT TO THE SERVICES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, COMPATIBILITY OR SECURITY. INTUIT DOES NOT WARRANT THAT ACCESS TO OR USE OF THE APPLICATION SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, THAT ALL DEFECTS AND ERRORS IN THE APPLICATION SERVICE WILL BE CORRECTED, OR THAT THE SERVICES WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. INTUIT DOES NOT PROVIDE ANY WARRANTIES REGARDING THE ACCURACY OF DATA OR INFORMATION PROVIDED BY THIRD PARTIES. The provisions of this Section allocate the risks under this Agreement between Intuit and Client. Intuit's pricing reflects this allocation of risk and the limitation of liability specified herein.
7.1 Indemnification by Intuit. Intuit will defend, indemnify and hold Client harmless from and against any action brought against Client by a third party to the extent that it is based upon a claim that (i) the Application Services (or any portion thereof), as provided by Intuit to Licensee under this Agreement and used within the scope of this Agreement, infringes any U.S. copyright, trademark, trade secret or other intellectual property right recognized under U.S. law, (ii) Intuit is in violation of any term, provision, representation or warranty in this Agreement, and (iii) Intuit or the Application Services (or any portion thereof) is not in compliance with applicable U.S. law; and Intuit shall pay any costs, damages and reasonable attorneys' fees attributable to such claim that are awarded either by final judgment or settlement against Client. Notwithstanding the foregoing sentence, Intuit shall have no liability for any claim resulting from or arising out of: (a) any unauthorized modification of the Application Services by Client or any third party; (b) Client's use of other than the then current, unaltered version of the Application Services; (c) use, modification, operation or combination of the Application Services or any portion thereof with any programs, data, equipment or documentation not provided by Intuit; (d) Intuit's or its third party service providers' compliance with Client's designs, specifications or instructions; or (e) any claim for which Client is required to indemnify Intuit pursuant to Section 7.2. In the event the Application Services or any portion thereof becomes (or, in Intuit's opinion, is likely to become) subject to any claim of infringement or misappropriation of third party rights, Intuit may, in its sole discretion: (x) procure for Client the right to continue to use the Application Services: (y) replace or modify the Application Services with a version of the Application Services that is not infringing: or (z) if Intuit cannot accomplish (x) or (y) using commercially reasonable efforts, terminate this Agreement or the affected Application Service without penalty. If Intuit terminates the Agreement pursuant to (z) above, Intuit will provide reasonable and customary transition services to Client at no additional charge. THIS SECTION 7.1 SETS FORTH THE ENTIRE LIABILITY OF INTUIT, AND CLIENT'S SOLE AND EXCLUSIVE REMEDY, WITH RESPECT TO ANY CLAIM OF INFRINGEMENT OR MISAPPROPRIATION OF THIRD PARTY RIGHTS.
7.2 Indemnification by Client. Client shall indemnify, defend and hold harmless Intuit from and against any claims, losses, damages, liabilities or expenses (including, without limitation, reasonable attorneys' fees and expenses) resulting from or arising out of: (a) any claim that any trademark, logo or trade name provided by Client for use or display on or in connection with the Application Services infringes upon or misappropriates any trademark, logo or trade name of any third party; (b) any claim that any Content infringe upon or misappropriate any patent, copyright, trademark, trade secret, privacy, publicity or other intellectual property or proprietary right of any third party; (c) any Patient's negligent or intentional misuse of the System or violation of any applicable law or regulation (including, without limitation, any improper or unauthorized transfer of funds from End User accounts via the System), (d) Client's failure to comply with laws, rules, regulations or professional standards.
7.3 Indemnification Procedures. The indemnification obligations of each party ("Indemnifying Party") under this Section 7 are subject to the following conditions: (a) The party seeking indemnification ("Indemnified Party") shall give the Indemnifying Party prompt notice in writing and in reasonable detail of any claim for which indemnification is sought; (b) the Indemnifying Party shall have the authority to control the defense and settlement of the claim (provided that the Indemnified Party shall have the right, but not the obligation, to participate at its own expense in the defense of such claim); and (c) the Indemnified Party shall give reasonable assistance to the Indemnifying Party to enable the Indemnifying Party to defend the claim. The Indemnifying Party shall not settle or compromise any claim without the prior written consent of the Indemnified Party if such settlement or compromise in any manner indicates that the Indemnified Party contributed to or was responsible for such claim, or if such settlement or compromise imposes any obligations upon the Indemnified Party or requires the Indemnified Party to take any action.
8. CONFIDENTIAL INFORMATION.
8.1 Except as expressly permitted in this Section 8, no party will, without the prior written consent of the other party, disclose any Confidential Information of the other party to any third party. Information will be considered Confidential Information of a party if either (i) it is disclosed by the party to the other party in tangible form and is conspicuously marked "Confidential", "Proprietary" or the like; or (ii) (a) it is disclosed by a party to the other party in non-tangible form and is identified as confidential at the time of disclosure; and (b) it contains the disclosing party's customer lists, customer information, technical information, pricing information, pricing methodologies, or information regarding the disclosing party's business planning or business operations. In addition, notwithstanding anything in this Agreement to the contrary, the terms of this Agreement will be deemed Intuit Confidential Information. Intuit may, in any manner, publicly announce the relationship with Client. Intuit may also develop, with customer review and approval, a business use case that may be used for Intuit marketing purposes.
8.2 Other than the terms and conditions of this Agreement, information will not be deemed Confidential Information hereunder if such information: (i) is known to the receiving party prior to receipt from the disclosing party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (ii) becomes known (independently of disclosure by the disclosing party) to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; or (iv) is independently developed by the receiving party.
8.3 Each party will secure and protect the Confidential Information of the other party (including, without limitation, the terms of this Agreement) in a manner consistent with the steps taken to protect its own trade secrets and confidential information, but not less than a reasonable degree of care. Each party may disclose the other party's Confidential Information where (i) the disclosure is required by applicable law or regulation or by an order of a court or other governmental body having jurisdiction after giving reasonable notice to the other party with adequate time for such other party to seek a protective order; (ii) if in the opinion of counsel for such party, disclosure is advisable under any applicable securities laws regarding public disclosure of business information; or (iii) the disclosure is reasonably necessary and is to that party's, or its Affiliates', employees, officers, directors, attorneys, accountants and other advisors, or the disclosure is otherwise necessary for a party to exercise its rights and perform its obligations under this Agreement, so long as in all cases the disclosure is no broader than necessary and the person or entity who receives the disclosure agrees prior to receiving the disclosure to keep the information confidential. Each party is responsible for ensuring that any Confidential Information of the other party that the first party discloses pursuant to this Section 8 (other than disclosures pursuant to clauses (i) and (ii) above that cannot be kept confidential by the first party) is kept confidential by the person receiving the disclosure.
9. Limitation of Liability.
9.1 CONSEQUENTIAL DAMAGES. NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY OR LIMITATION OF LIABILITY, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES OF ANY KIND (INCLUDING, WITHOUT LIMITATION, LOST REVENUES OR PROFITS, LOSS OF USE, OR LOSS OF GOODWILL OR REPUTATION) WITH RESPECT TO ANY CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT OR THE APPLICATION SERIVCES, WHETHER BASED ON CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE AND STRICT LIABILITY), REGARDLESS OF WHETHER SUCH PARTY WAS ADVISED, HAD OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.
9.2 DIRECT DAMAGES. NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY OR LIMITATION OF LIABILITY, INTUIT'S LIABILITY FOR DAMAGES OF ANY KIND WITH RESPECT TO ANY CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, THE SYSTEM, THE SOFTWARE, THE DOCUMENTATION, OR THE SERVICES, WHETHER BASED ON CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE AND STRICT LIABILITY) SHALL NOT EXCEED THE AMOUNT OF FEES INCURRED BY CLIENT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT FROM WHICH SUCH LIABILITY AROSE FOR THE AUTHORIZED SERVICE GIVING RISE TO THE CLAIM.
9.3 The remedies expressly set forth in this Agreement shall be Client's sole and exclusive remedies in the event of any alleged breach by Intuit under this Agreement or arising out of or related to the subject matter of this Agreement. Client acknowledges that the limitations of liability contained in this Section 9 are a fundamental part of the basis of Intuit's bargain hereunder, and Intuit would not enter into this Agreement absent such limitations. The limitations of liability in this Section 9 shall not apply to Client's obligation to pay Fees including, without limitation, any applicable Termination Fees.
9.4 For purposes of this Section 9, the term "Intuit" shall mean Intuit, its parent, subsidiaries, and affiliates, and its and their respective officers, employees, and stockholders. The parties agree that such individuals and entities are express third party beneficiaries to the limitations under this Section 9.
10. GENERAL PROVISIONS.
10.1 Governing Law. This Agreement shall be governed, construed and enforced in accordance with the laws of the State of North Carolina and, where applicable, federal law, without giving effect to the conflict-of-laws principles thereof. The parties agree that jurisdiction over and venue in any legal proceeding arising out of or relating to this Agreement will exclusively be in the state or federal courts located in Raleigh, North Carolina.
10.2 Severability. If any provision of this Agreement is held to be invalid or unenforceable for any reason, it shall be deemed omitted and the remaining provisions will continue in full force without being impaired or invalidated in any way. The parties agree to replace any invalid provision with a valid provision that most closely approximates the intent and economic effect of the invalid provision.
10.3 Waiver. The waiver by either party of a breach of any provision of this Agreement will not operate or be interpreted as a waiver of any other or subsequent breach.
10.4 Assignment. This Agreement shall be binding upon the parties' respective successors and permitted assigns. Client shall not assign this Agreement, and/or any of its rights and obligations hereunder, without the prior written consent of Intuit, which consent shall not be unreasonably withheld. This Agreement, and the rights and obligations herein, may be assigned by Intuit to any person or entity without the written consent of the Client.
10.5 Independent Contractors. Intuit is acting in performance of this Agreement as an independent contractor.
10.6 Strategic Relationships. Intuit may enter into strategic relationships with third parties that may benefit Client by increasing patient requests. In such an event, Intuit shall be permitted to place appropriate links, icons or displays within the Intuit Application that is accessed as part of the Application Services. Although Intuit may include links providing direct access to third-party Internet sites as a convenience, the inclusion of a link does not imply endorsement of the linked site by Intuit. Intuit does not take responsibility for the content or information contained on those other sites, and does not exert any editorial or other control over those other sites. Intuit does not take responsibility for the privacy policies and practices of these third-party links.
10.7 Notices. All notices required to be given under the terms of this Agreement or which any of the parties hereto may desire to give hereunder, shall be in writing, shall be delivered via one of the following methods, and shall be deemed to have been received: (i) on the day given delivered by hand (securing a receipt evidencing such delivery); or (ii) on the second day after such notice is sent by a nationally recognized overnight or two (2) day air courier service, full delivery cost paid; or (iii) on the fifth day after such notice was mailed, registered mail, prepaid, return receipt requested, and addressed to the party to be notified at the addresses set forth in the Service Order.
10.8 Survival. All provisions of this Agreement relating to proprietary rights, payment of fees accrued, confidentiality and non-disclosure, indemnification and limitation of liability shall survive the completion of the Services or any termination of this Agreement.
10.9 Legal Fees. In the event of any proceeding or lawsuit brought by Intuit or Client in connection with this Agreement, the prevailing party shall be entitled to recover its costs and legal fees (including, but not limited to, allocated costs of in-house staff counsel) and court costs.
10.10 Force Majeure. Neither party will be liable to the other for failure to meet its obligations under this Agreement where such failure is caused by events beyond its reasonable control such as fire, failure of communications networks, riots, civil disturbances, embargos, storms, acts of terrorism, pestilence, war, floods, tsunamis, earthquakes or other acts of God.
10.11 Subsequent Modifications. No amendment, alteration or modification of this Agreement shall be effective or binding unless it is set forth in a writing signed by duly authorized representatives of both parties.
10.12 Entire Agreement. This Agreement and any exhibits and schedules attached hereto, constitutes the entire agreement between the parties in connection with the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, of the parties, and there are no warranties, representations and/or agreements among the parties in conjunction with the subject matter hereof except as set forth in this Agreement.
BUSINESS ASSOCIATE AGREEMENT
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act ("HIPAA") of 1996, Public Law 104-191, known as "the Administrative Simplification provisions," direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the "HIPAA Security and Privacy Rule"); and
WHEREAS, the American Recovery and Reinvestment Act ("ARRA") of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the "Health Information Technology for Economic and Clinical Health" ("HITECH") Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the "HIPAA Security and Privacy Rule" are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, the Parties wish to enter into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a "business associate" of Covered Entity as defined in the HIPAA Security and Privacy; and
WHEREAS, Business Associate may have access to Protected Health Information ("PHI"), as defined below, in fulfilling its responsibilities under such arrangement; and
If a Service Order entered into under a Subscription Agreement between Intuit and the client thereto provides that the parties will enter into Intuit's standard Business Associate Agreement, then Intuit ("Business Associate"), and such client (the "Covered Entity") (each a "Party" and collectively the "Parties") hereby agree to the terms and conditions of this Business Associate Agreement (this "Business Associate Agreement").
Article 1 Definitions
Terms used but not otherwise defined in this Business Associate Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Information Portability and Accountability Act of 1996, codified as 42 U.S.C. §1320d ("HIPAA"), the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. § 17901 (the "HITECH" Act), and any current and future regulations promulgated under HIPAA or HITECH.
1.1 "Breach" shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E (the "HIPAA Privacy Regulations") which compromises the security or privacy of the Protected Health Information. "Breach" shall not include:
(a) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Regulations; or
(b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Regulations; or
(c) A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
1.2 "Designated Record Set" means a group of records maintained by or for a Covered Entity that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Covered Entity to make decisions about Individuals.
1.3 "Electronic Protected Health Information" or "Electronic PHI" means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Regulations.
1.4 "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
1.5 "HIPAA Privacy Regulations" shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
1.6 "HIPAA Security Regulations" shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and subparts A and C of part 164.
1.7 "HITECH Standards" means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the HITECH Act and any regulations promulgated thereafter.
1.8 "Individually Identifiable Information" means information that is a subset of health information, including demographic information collected from an individual, and:
(a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
(b) relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.9 "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. §160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Covered Entity including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. "Protected Health Information" includes without limitation "Electronic Protected Health Information" as defined above. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity's behalf shall be subject to this Business Associate Agreement.
1.10 "Secretary" shall mean the Secretary of the Department of Health and Human Services or his/her designee.
1.11 "Unsecured Protected Health Information" shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in section 13402(h) of the HITECH Act.
Article 2 Obligations of Business Associate
2.1 Limited Use or Disclosure of PHI. Business Associate agrees to not use or further disclose PHI other than as permitted or required by the Agreement or as required by law. Business Associate may (1) use and disclose PHI to perform the services agreed to by the Parties; (2) use or disclose PHI for the proper management and administration of Business Associate or in accordance with its legal responsibilities; (3) use PHI to provide data aggregation services relating to health care operations of Covered Entity; (4) use or disclose PHI to report violations of the law to law enforcement; or (5) use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. §164.514. Business Associate will not sell PHI or use or disclose PHI for marketing or fund raising purposes as set forth in the HITECH Act.
2.2 Subcontractors. Business Associate agrees to require any subcontractor to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, to agree to the same restrictions and conditions that apply throughout this Business Associate Agreement to Business Associate with respect to such information. Subcontractors shall receive appropriate training, and agree to implement reasonable and appropriate safeguards to protect any of such information which is PHI or Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees' actions or omissions do not cause Business Associate to breach the terms of this Business Associate Agreement.
2.3 Safeguards. Business Associate agrees to use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Association in violation of this Business Associate Agreement.
2.5 Compliance. Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be "marketing" under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.
2.6 Notice of Use or Disclosure, Security Incident or Breach.
(a) Business Associate agrees to notify the designated Privacy Officer of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. §164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of breach. Business Associate shall provide the following information in such notice to Covered Entity:
(i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;
(ii) a description of the nature of the Breach including the types of unsecured PHI that were involved, the date of the Breach and the date of discovery;
(iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);
(iv) the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;
(v) a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and
(vi) any other details necessary for Covered Entity to assess risk of harm to Individual(s), including identification of each Individual whose unsecured PHI has been Breached and steps such Individuals should take to protect themselves.
(b) Covered Entity will be responsible for providing notification to Individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HITECH Act. In the event that a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity's breach analysis procedures, including risk assessment and determination of the extent of access of such unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate's then current rates.
(c) Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
(d) The Parties agree that this section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Agreement, "Unsuccessful Security Incidents" include activity such as pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.
2.7 Access. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably requested by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual. Business Associate may charge Covered Entity or Individual for the actual labor cost involved in providing such access. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.
2.8 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees, upon request of Covered Entity or an Individual.
2.9 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity or the Secretary in a time and manner designated by the Covered Entity or Secretary, for the purposes of the Secretary in determining the Parties compliance with HIPAA, the HITECH Act, the American Recovery and Reinvestment Act, and corresponding regulations.
2.10 Accounting and Audit. Business Associate agrees to provide to Covered Entity an accounting of PHI disclosures made by Business Associate, including disclosures made for treatment, payment and health care operations. The accounting shall be made within a reasonable amount of time upon receipt of a request from Covered Entity. The Secretary of Health and Human Services shall have the right to audit Business Associate's records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity's compliance with the terms of the HIPAA Security and Privacy Rule.
2.11 Security of Electronic Protected Health Information. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity; (2) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (3) report to the Covered Entity any security incidents of which it becomes aware.
2.12 Minimum Necessary. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. §164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
2.13 Permitted Uses and Disclosures. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate HIPAA, ARRA, or the HITECH Act if done by the Covered Entity. Notwithstanding the prohibitions set forth in this Business Associate Agreement, Business Associate may use and disclose Protected Health Information:
(a) if necessary, for the proper management and administration of Business Associate services or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, (i) the disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or
(b) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship, or as mutually agreed in writing by both Parties. For purposes of this Business Associate Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(c) Business Associate may de-identify any and all Protected Health Information created or received by Business Associate under this Agreement; provided, however, that such de-identification conforms to the requirements under HIPAA. Such resulting de-identification information shall not be subject to the terms of this Agreement.
Article 3 Obligations of Covered Entity
3.1 Notice of Privacy Practices of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
3.2 Restrictions in Use of PHI. Covered Entity shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
3.3 Changes in the Use of PHI. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate's use or disclosure of PHI.
3.4 Appropriate Requests. Except as otherwise provided in this Business Associate Agreement, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would violate the HIPAA Privacy Regulations, ARRA, or the HITECH Act if done by Covered Entity.
3.5 Consents. Obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Covered Entity.
Article 4 Term and Termination
4.1 Term. The Term of this Business Associate Agreement shall be effective as of the date listed above and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.
4.2 Termination for Cause. Upon either Party's determination that the other Party has committed a violation or material breach of this Business Associate Agreement, the non-breaching Party may take one of the following steps:
(a) Provide an opportunity for the breaching Party to cure the breach or end the violation, and if the breaching Party does not cure the breach or end the violation within a reasonable time, terminate this Agreement;
(b) Immediately terminate this Business Associate Agreement if the other Party has committed a material breach of this Agreement and cure of the material breach is not possible; or
(c) If neither cure nor termination is feasible, elect to continue this Business Associate Agreement and report the violation or material breach to the Secretary in accordance with the requirements set forth in the HITECH Act.
4.3 Disposition of PHI Upon Termination or Upon Request.
(a) Upon termination of this Business Associate Agreement, for any reason, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate shall return or destroy all Protected Health Information created or received by Business Associated on behalf of Covered Entity which Business Associated still maintains in any form and retain no copies of such information. This provision shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate.
(b) It may not be feasible for Business Associate to return or destroy all copies of customer data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this Business Associate Agreement to the information and limit further uses and disclosures solely to those purposes as originally intended under this Business Associate Agreement that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
Article 5 Miscellaneous
5.1 No Third Parties; Survival. Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Business Associate Agreement do not intend to create any rights in any third parties. The respective rights and obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Business Associate Agreement, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
5.2 Amendment. The Parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, ARRA, or the HITECH Act and any applicable regulations in regard to such laws.
5.3 Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA, ARRA, or the HITECH Act or any applicable regulations in regard to such laws.
5.4 Prior Agreement. This Business Associate Agreement shall replace and supersede any prior Business Associate Agreement between the Parties.
5.5 Ambiguity. Any ambiguity of this Business Associate Agreement shall be resolved to permit the Parties to comply with the HITECH Act, HIPAA, ARRA, and the Privacy and Security Rules and other implementing regulations and guidance.
5.6 Minimum Requirements. The provisions of this Business Associate Agreement are intended to establish the minimum requirements regarding Business Associate's use and disclosure of Protected Health Information.
5.7 Notices. Except as otherwise specified herein, all notices, demands or communications required under this Business Associate Agreement shall be in writing and delivered personally, or sent either by U.S. certified mail, postage prepaid return receipt requested, or by overnight delivery air courier (e.g., Federal Express) to the parties at their respective addresses set forth above in this Agreement and, for Intuit, with a copy to: Intuit Inc., Attention: General Counsel, Law Department, P.O. Box 7850, Mountain View, California 94039-7850. All such notices, requests, demands, or communications shall be deemed effective immediately upon receipt.
5.8 Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law. This Business Associate Agreement is the entire agreement between the parties in connection with the subject matter herein and this Business Associate Agreement may be amended or modified only in a writing signed by the Parties. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Business Associate Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Business Associate Agreement. Any assignment of this Business Associate Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Business Associate Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Business Associate Agreement and any other agreements between the Parties evidencing their business relationship. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Business Associate Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Business Associate Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Business Associate Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Business Associate Agreement, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.