Mobl Solutions, LLC

Services Agreement


The Services Agreement (“Agreement”) between Mobl and Customer consists of these Terms and Conditions (the “Terms”), the Service Order (as defined below), and the BAA (as defined below). These Terms and the BAA shall apply to each Service Order executed by Mobl and Customer, provided, however, to the extent any provisions within these Terms explicitly contradict the provisions of an applicable Service Order, such provisions of the Service Order shall control.

    1. Definitions.
    2. Aggregated Statistics” means data and information related to Customer’s use of the Services that is used by Mobl in an aggregate and anonymized manner, including to compile statistical and performance information related to the provision and operation of the Services.
    3. Authorized Users” means those Providers who are employed or engaged by Customer (i) who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to the Agreement and (ii) for whom access to the Services has been purchased hereunder.
    4. BAA” means the Business Associate Agreement attached as Exhibit A to these Terms.
    5. Customer” means the party identified as such in the Service Order to which these Terms apply.
    6. Customer Data” means, other than Aggregated Statistics, information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services.
    7. Effective Date” means the date designated as such on the Service Order.
    8. Mobl” means Mobl Solutions, LLC, a North Carolina limited liability company.
    9. Mobl IP” means the Services and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Mobl IP includes Aggregated Statistics and any information, data, or other content derived from Mobl’s monitoring of Customer’s access to or use of the Services, but does not include Customer Data.
    10. Parties” means Mobl and Customer, and “Party” means either of Mobl or Customer.
    11. Provider” means a provider of medical or health services, including, but not limited to a physician, a physician assistant, nurse, physical therapist or psychotherapist.
    12. Service Order” means the document captioned “Services Agreement Order Form” (or is similarly styled) that is executed by Customer and Mobl, and expressly refers to these Terms and the Agreement.
    13. Services” means the software-as-a-service offering currently marketed by Mobl as DOCUMOBL, including, without limitation, the mobile software application with which the Authorized Users interface when using the Services.
    14. Access and Use.
      1. Provision of Access. Subject to and conditioned on Customer’s payment of Fees and compliance with all other terms and conditions of the Agreement, Mobl hereby grants Customer a non-exclusive, non-transferable (except in compliance with Section 11(g)) right to access and use the Services during the Term, solely for use by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use. Mobl shall provide to Customer the necessary passwords and network links or connections to allow Customer to access the Services. The total number of Authorized Users will not exceed the number set forth in the Service Order, except as expressly agreed to in writing by the Parties and subject to any appropriate adjustment of the Fees payable hereunder.
      2. Use Restrictions. Customer shall not use the Services for any purposes beyond the scope of the access granted in the Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (iv) remove any proprietary notices from the Services; or (v) use the Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law.
      3. Reservation of Rights. Mobl reserves all rights not expressly granted to Customer in the Agreement. Except for the limited rights and licenses expressly granted under the Agreement, nothing in the Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Mobl IP.
      4. Suspension. Notwithstanding anything to the contrary in the Agreement, Mobl may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Mobl reasonably determines that (A) there is a threat or attack on any of the Mobl IP; (B) Customer’s or any Authorized User’s use of the Mobl IP disrupts or poses a security risk to the Mobl IP or to any other customer or vendor of Mobl; (C) Customer, or any Authorized User, is using the Mobl IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) Mobl’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; (ii) any vendor of Mobl has suspended or terminated Mobl’s access to or use of any third-party services or products required to enable Customer to access the Services; or (iii) in accordance with Section 4(a)(iii) (any such suspension described in subclause (i), (ii), or (iii), a “Service Suspension”). Mobl shall use commercially reasonable efforts to provide Notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Services following any Service Suspension. Mobl shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Mobl will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.
      5. Aggregated Statistics. Notwithstanding anything to the contrary in the Agreement, Mobl may monitor Customer’s use of the Services and collect and compile Aggregated Statistics. As between Mobl and Customer, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Mobl. Customer acknowledges that Mobl may compile Aggregated Statistics based on Customer Data input into the Services. Customer agrees that Mobl may use Aggregated Statistics to the extent and in the manner permitted under applicable law.
    15. Customer Responsibilities. Customer is responsible and liable for all uses of the Services resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of the Agreement. Without limiting the generality of the foregoing, Customer acknowledges and agrees that:
      1. Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of the Agreement if taken by Customer will be deemed a breach of the Agreement by Customer;
      2. Customer shall use reasonable efforts to make all Authorized Users aware of the Agreement’s provisions as applicable to such Authorized User’s use of the Services, and shall cause Authorized Users to comply with such provisions;
      3. only appropriately licensed Authorized User shall assess, diagnose, and recommend treatment for patients;
      4. Mobl is not engaged in the practice of medicine through the provision of the Services contemplated herein;
      5. Customer shall take all actions required to ensure that Customer’s and its Authorized Users’ use of the Services is in compliance with all applicable laws, rules, regulations and professional standards;
      6. Customer shall take all reasonable precautions to ensure that the Services are utilized by its Authorized Users in a manner consistent with applicable ethical and legal requirements; and
      7. nothing in the Agreement shall be construed as an offer for payment by one Party to the other Party or any affiliate of the other Party of any cash or other remuneration, whether directly or indirectly, overtly or covertly, for patient referrals or for recommending or for arranging, purchasing, leasing or ordering any item or service.
    16. Fees and Payment.
      1. Fees. Customer shall pay Mobl the fees (“Fees”) as set forth in the Service Order without offset or deduction. Customer shall make all payments hereunder in US dollars on or before the due date set forth in the Service Order. If Customer fails to make any payment when due, without limiting Mobl’s other rights and remedies: (i) Mobl may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Mobl for all reasonable costs incurred by Mobl in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for 15 days or more, Mobl may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full.
      2. Taxes. All Fees and other amounts payable by Customer under the Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Mobl’s income.
      3. Auditing Rights. Mobl may, at its own expense, on reasonable prior Notice, periodically inspect and audit Customer’s records with respect to matters covered by the Agreement, provided that if such inspection and audit reveals that Customer has underpaid Mobl with respect to any amounts due and payable hereunder, Customer shall promptly pay the amounts necessary to rectify such underpayment, together with interest in accordance with Section 4(a). Customer shall pay for the costs of the audit if the audit determines that Customer’s underpayment equals or exceeds 5% for any month. Such inspection and auditing rights will extend throughout the Term of the Agreement and for a period of two years after the termination or expiration of the Agreement.
    17. Confidential Information. From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media, and whether or not marked, designated or otherwise identified as “confidential” (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given Notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under the Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of the Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.
    18. Intellectual Property Ownership; Feedback.
      1. Mobl IP. Customer acknowledges that, as between Customer and Mobl, Mobl owns all right, title, and interest, including all intellectual property rights, in and to the Mobl IP.
      2. Customer Data. Mobl acknowledges that, as between Mobl and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Mobl a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Mobl to provide the Services to Customer, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data incorporated within the Aggregated Statistics.
      3. Feedback. If Customer or any of its employees or contractors sends or transmits any communications or materials to Mobl by mail, email, telephone, or otherwise, suggesting or recommending changes to the Mobl IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), Mobl is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Mobl on Customer’s behalf, and on behalf of its employees, contractors and/or agents, all right, title, and interest in, and Mobl is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Mobl is not required to use any Feedback.
    19. Limited Warranty and Warranty Disclaimer.
      1. Mobl hereby warrants that, during the Term, the Services will perform, in all material respects, in accordance with their then-current published functional specifications. In the event of any failure of the Services to perform in a material respect with such specifications, Mobl will, as Customer’s sole and exclusive remedy for such failure, repair the applicable Service.
    20. Indemnification.
      1. Mobl Indemnification.
        1. Mobl shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (“Losses”) incurred by Customer resulting from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) that the Services, or any use of the Services in accordance with the Agreement, infringes or misappropriates such third party’s US patents, copyrights, or trade secrets, provided that Customer promptly notifies Mobl in writing of the claim, cooperates with Mobl, and allows Mobl sole authority to control the defense and settlement of such claim.
        2. If such a claim is made or appears possible, Customer agrees to permit Mobl, at Mobl’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Mobl determines that neither alternative is reasonably available, Mobl may terminate the Agreement, in its entirety or with respect to the affected component or part, effective immediately on Notice to Customer.
        3. This Section 8(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Mobl or authorized by Mobl in writing; (B) modifications to the Services not made by Mobl; or (C) Customer Data.
        4. Customer Indemnification. Customer shall indemnify, hold harmless, and, at Mobl’s option, defend Mobl from and against any Losses resulting from (i) any Third-Party Claim that the Customer Data, or any use of the Customer Data in accordance with the Agreement, infringes or misappropriates such third party’s intellectual property rights, and (ii) any Third-Party Claims based on Customer’s or any Authorized User’s (A) negligence, willful misconduct and/or failure to comply with laws, rules, regulations or professional standards; (B) use of the Services in a manner not authorized by the Agreement; (C) use of the Services in combination with data, software, hardware, equipment or technology not provided by Mobl or authorized by Mobl in writing; or (D) modifications to the Services not made by Mobl.  Customer may not settle any such Third-Party Claim against Mobl unless Mobl consents to such settlement, and further provided that Mobl will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.
    22. Term and Termination.
      1. Term. Except to the extent otherwise set forth in this applicable Service Order, the initial term of the Agreement begins on the Effective Date and, unless terminated earlier pursuant to the Agreement’s express provisions, will continue in effect until three years from such date (the “Initial Term”), and will thereafter automatically renew for additional successive one year terms (each a “Renewal Term” and together with the Initial Term, the “Term”) unless earlier terminated pursuant to the Agreement’s express provisions or either Party gives the other Party Notice of non-renewal at least 90 days prior to the expiration of the Initial Term or the then-current Renewal Term.
      2. Termination. In addition to any other express termination right set forth in the Agreement:
        1. Mobl may terminate the Agreement, effective on Notice to Customer, if Customer: (A) fails to pay any amount when due hereunder, and such failure continues more than 15 days after Mobl’s delivery of Notice thereof; or (B) breaches any of its obligations under Section 2(b) or Section 5;
        2. either Party may terminate the Agreement, effective on Notice to the other Party, if the other Party materially breaches the Agreement, and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured 30 days after the non-breaching Party provides the breaching Party with Notice of such breach; or
        3. either Party may terminate the Agreement, effective immediately upon Notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
      3. Effect of Expiration or Termination. Upon expiration or earlier termination of the Agreement, Customer shall immediately discontinue use of the Services. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination, or entitle Customer to any refund.
      4. Survival. This Section 10(d) and Sections 1, 4, 5, 6, 7(b), 8, 9, and 11 survive any termination or expiration of the Agreement. No other provisions of the Agreement survive the expiration or earlier termination of the Agreement.
    23. Miscellaneous.
      1. Entire Agreement. The Agreement constitutes the sole and entire agreement of the Parties with respect to the subject matter of the Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter.
      2. Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth on the Service Order (or to such other address that may be designated by the Party giving Notice from time to time in accordance with this Section 11(b)). All Notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees pre-paid), or certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in the Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section 11(b).
      3. Force Majeure. In no event shall Mobl be liable to Customer, or be deemed to have breached the Agreement, for any failure or delay in performing its obligations under the Agreement, if and to the extent such failure or delay is caused by any circumstances beyond Mobl’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.
      4. Amendment and Modification; Waiver. No amendment to or modification of the Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. No (i) failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from the Agreement will operate or be construed as a waiver thereof and (ii) single or partial exercise of any right, remedy, power, or privilege under the Agreement will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.
      5. Severability. If any provision of the Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of the Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify the Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
      6. Governing Law; Arbitration. The Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to the choice of law provisions thereof. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to the Agreement. Any contract dispute or claim arising out of, or in connection with, the Agreement shall be finally settled by binding arbitration in Raleigh, North Carolina, in accordance with N.C. Gen. Stat. §1-569.1 et seq. and the then-current rules and procedures of the American Arbitration Association by one (1) arbitrator appointed by the American Arbitration Association. The arbitrator shall apply the law of the State of North Carolina, without reference to rules of conflict of law or statutory rules of arbitration, to the merits of any dispute or claim. Judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. In the event that any arbitration, action or proceeding is brought in connection with the Agreement, the prevailing Party shall be entitled to recover its costs and reasonable attorneys’ fees in accordance with N.C. Gen. Stat. §6-21.6. Notwithstanding the foregoing, nothing herein shall preclude either Party from seeking injunctive relief in any state or federal court of competent jurisdiction without first complying with the arbitration provisions of this Section.
      7. Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Mobl. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. The Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.
      8. Export Regulation. The Services utilize software and technology that may be subject to US export control laws, including the US Export Administration Act and its associated regulations. Customer shall not, directly or indirectly, export, re-export, or release the Services or the underlying software or technology to, or make the Services or the underlying software or technology accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Customer shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Services or the underlying software or technology available outside the US.
      9. Electronic Signatures. Signed counterparts of the Service Order may be delivered via facsimile, electronic mail (including pdf or any electronic signature complying with the U.S. federal ESIGN Act of 2000, e.g., or other transmission method and any counterpart so delivered shall be deemed to have been duly and validly delivered and be valid and effective for all purposes.
      10. Independent Contractors. Mobl is acting in performance of the Agreement as an independent contractor, and the Agreement shall not be construed to create any association, partnership, joint venture, employee or agency relationship between Mobl and Customer for any purpose.
      11. Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Section 5 or, in the case of Customer, Section 2(b), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.

* * *

Exhibit a


WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 C.F.R. Parts 160 and 164, subparts C, D, and E (the “HIPAA Security Rule”, “HIPAA Breach Notice Rule”, and “HIPAA Privacy Rule”, respectively); and

WHEREAS, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security, Breach Notice and Privacy Rules (hereinafter, all references to the HIPAA Security Rule, Breach Notice Rule or Privacy Rule are deemed to include all amendments to such rules contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and

WHEREAS, the Parties have entered into the Agreement, whereby Mobl (“Business Associate”) will provide the Services to Customer (“Covered Entity”), and, pursuant to the Agreement, Business Associate may be considered a “business associate” of Covered Entity, as defined in HIPAA or the HIPAA Security Rule, HIPAA Breach Notice Rule or HIPAA Privacy Rule; and

WHEREAS, Business Associate may have access to Protected Health Information as defined below, in fulfilling its responsibilities under the Agreement.

By executing the Service Order and entering into the Agreement, the Parties hereby agree to the terms and conditions of this BAA.  

Article 1

Terms used but not otherwise defined in this BAA shall have the same meanings as are ascribed to those terms in (a) HIPAA and HITECH, and any current and future regulations promulgated under HIPAA or HITECH, and (b) the Terms to which this BAA is attached as Exhibit A.

1.1 “Breach” shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the HIPPA Privacy Rule that compromises the security or privacy of the Protected Health Information. The term Breach shall not include:

(a) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or

(b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or

(c) A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

1.2 “Designated Record Set” means a group of records maintained by or for a Covered Entity that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Covered Entity to make decisions about Individuals.

1.3 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Rule.

1.4 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

1.5 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Covered Entity including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Protected Health Information includes, without limitation, Electronic Protected Health Information, as defined above. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this BAA.

1.6 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.

1.7 “Unsecured Protected Health Information” or “Unsecured PHI” shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in the HIPAA Breach Notice Rule.

Article 2
Obligations of Business Associate

2.1 General Use or Disclosure of PHI. Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity, if such use or disclosure would not violate HIPAA if done by Covered Entity.

2.2 Limited Use or Disclosure of PHI. Business Associate will not sell PHI, receive any form of remuneration in exchange for PHI, or use or disclose PHI for marketing or fund raising purposes without valid authorization. In addition, Business Associate will not use or further disclose Protected Health Information for any purpose other than:

(a) to perform the Services agreed to by the Parties;

(b) for the proper management and administration of Business Associate or in accordance with its legal responsibilities, provided that for any such disclosure:

(i) the disclosure is required by law; or

(ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;

(c) to provide data aggregation services relating to health care operations of Covered Entity (for purposes of this BAA, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities);

(d) to report violations of the law to law enforcement; or

(e) to create de-identified information consistent with the standards set forth at 45 C.F.R. § 164.514 (resulting de-identified information shall not be subject to the terms of this BAA).

2.3 Subcontractors. Business Associate agrees to take reasonable measures to ensure that any subcontractor to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of such Protected Health Information.

2.4 Safeguards. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity and comply with applicable provisions of the HIPAA Security Rule.

2.5 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Unsecured Protected Health Information by Business Associate in violation of this BAA.

2.6 Compliance. Business Associate will comply with all applicable requirements of the HIPPA Privacy Rule, including those contained in 45 C.F.R. §§ 164.502(e) and 164.504(e)(1)(ii). To the extent Business Associate performs any of Covered Entity’s obligations under the HIPAA Privacy Rule, Business Associate will comply with the requirements of the HIPAA Privacy Rule that apply to Covered Entity in the performance of those obligations. C.F.R..

2.7 Notice of Use or Disclosure, Security Incident or Breach. 

(a) Business Associate agrees to notify the designated Privacy Officer of Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this BAA, any Security Incident (as defined in 45 C.F.R. § 164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of Breach. Business Associate shall provide the following information in such notice to Covered Entity, to the extent such information is available:

(i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;

(ii) a description of the nature of the Breach including the types of Unsecured PHI that were involved, the date of the Breach and the date of discovery;

(iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);

(iv) the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;

(v) a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and

(vi) any other details available to Business Associate that may be necessary for Covered Entity to comply with the HIPAA Breach Notice Rule.

(b) Covered Entity will be responsible for providing notification to Individuals whose Unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HIPAA Breach Notice Rule. In the event that a Breach of Unsecured PHI, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity’s Breach analysis procedures, including risk assessment and determination of the extent of access of such Unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then current rates.

(c) The Parties agree that this section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this BAA, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.

2.8 Access. Business Associate agrees to provide access, at the request of Covered Entity, and in a time and manner mutually agreed upon by Covered Entity and Business Associate, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual. Business Associate may charge Covered Entity or Individual for the actual labor cost involved in providing such access. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by 45 C.F.R. § 164.524. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the Covered Entity or the applicable Individual, as directed by Covered Entity.

2.9 Restrictions. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to 45 C.F.R. § 164.522 of the HIPAA Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity in writing, unless otherwise required by law or for emergency purposes.

2.10 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set in accordance with 45 C.F.R. § 164.526 that Covered Entity directs or agrees to implement, upon written request of Covered Entity.

2.11 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner designated by the Secretary, for the purposes of the Secretary in determining the Parties’ compliance with HIPAA and any corresponding regulations.

2.12 Accounting. Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by 45 C.F.R. § 164.528. The accounting shall be made within a reasonable amount of time, mutually agreed upon by Covered Entity and Business Associate, upon receipt of a written request from Covered Entity.

2.13 Minimum Necessary. Business Associate agrees to limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.

Article 3
Obligations of Covered Entity

3.1 Notice of Privacy Practices of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.

3.2 Restrictions in Use of PHI. Covered Entity shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information to which Covered Entity has agreed, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

3.3 Changes in the Use of PHI. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate’s use or disclosure of PHI.

3.4 Appropriate Requests. Except as otherwise provided in this BAA, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.

3.5 Minimum Necessary. Covered Entity shall disclose only the minimum amount of PHI necessary for Business Associate to provide the services and will assist Business Associate in meeting the minimum necessary principle as required by HIPAA and this BAA.

3.6 Consents. Covered Entity shall obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Covered Entity.

Article 4
Term and Termination

4.1 Term. The Term of this BAA shall be effective as of the Effective Date and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.

4.2 Termination for Cause. Upon either Party’s determination that the other Party has committed a material breach of this BAA, the non- breaching Party may take one of the following steps:

(a) Provide an opportunity for the breaching Party to cure the material breach or end the violation, and if the breaching Party does not cure the material breach or end the violation within a reasonable time to be mutually agreed upon by the Parties, terminate this BAA; or

(b) Immediately terminate this BAA if the other Party has committed a material breach of the Agreement and cure of the material breach is not possible.

4.3 Disposition of PHI upon Termination or upon Request.

(a) Upon termination of this BAA, for any reason, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate shall return or destroy all Protected Health Information created or received by Business Associate on behalf of Covered Entity which Business Associate still maintains in any form and retain no copies of such information. This provision shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate.

(b) It may not be feasible for Business Associate to return or destroy all copies of Customer Data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this BAA to the information and limit further uses and disclosures solely to those purposes as originally intended under this BAA that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

Article 5

5.1 No Third Parties; Survival. Except as expressly stated herein or within HIPAA, the Parties to this BAA do not intend to create any rights in any third parties. The respective rights and obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this BAA, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.

5.2 Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the Parties to comply with the requirements of HIPAA and any other applicable regulations.  In the event a Party believes in good faith that any provision of this BAA fails to comply with the then-current requirements of HIPAA, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this BAA, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with HIPAA, then either Party has the right to terminate upon Notice to the other Party.

5.3 Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.

Documobl by Mobl Solutions, LLC

© 2019 Documobl. All rights reserved. Made by IOT-EDGE