The Services Agreement (“Agreement”) between Medfusion and Client consists of
these Terms and Conditions (the “Terms”), one or more Service Orders, and the
Business Associate Agreement set forth below. These Terms shall apply to each
Service Order executed by Medfusion and Client.
1.1 “Affiliate” means, with respect to a given person or entity, a person or entity that directly or indirectly controls, is controlled by, or is under common control with, such person or entity.
1.2 “Application Services” means hosting and operating a Medfusion Application to provide Client with access to and use of such Medfusion Application.
1.3 “Authorized Users” means persons authorized by Client (including its employees, Patients and Providers) to access and use the Services who possess an authorized user ID and password and for whom Client has paid the applicable user fees.
1.4 “Client” means the party identified as such on the applicable Service Order.
1.5 “Consulting Services” shall mean any training, consulting, data migration, conversion, integration, implementation and/or other services provided by Medfusion to Client, as described in the Service Order.
1.6 “Content” means all of Client’s Confidential Information, software applications, text, pictures, sound, graphics, video and other data transmitted by Authorized Users using the Services.
1.7 “Medfusion” means Medfusion, Inc., a Delaware corporation.
1.8 “Medfusion Application” means all software and databases used by Medfusion to provide the Application Services to Client.
1.9 “Patient” means a person seeking health care and who, prior to using the Application Services, has been determined by Client to have a patient-physician relationship with a Physician in accordance with the applicable requirements of State law and of the applicable State licensure boards.
1.10 “Physician” means a licensed physician that participates in Client’s medical practice.
1.11 “Provider” means a provider of medical or health services, including, but not limited to a Physician, a physician assistant, nurse, physical therapist or psychotherapist.
1.12 “Service Order” means the document captioned “Services
Agreement Order Form” (or is similarly styled) that includes a written description
of the Services to be provided by Medfusion to Client, is executed by Client and
Medfusion, and expressly refers to these Terms and this Agreement.
1.13 “Services” means the Application Services, Consulting Services and the other services identified in Section 2.1 of these Terms.
2.1 Services. Medfusion shall use commercially reasonable efforts to provide the Services in accordance with the terms and conditions of this Agreement. In the event of any conflict between these Terms and a Service Order, these Terms shall govern, except in the event that the conflicting provision is designated as a “Special Consideration” in the Service Order, in which case such Special Consideration shall govern. In addition to the Application Services and the Consulting Services, the Services shall include: (i) the provision of technical support to Client (including Client’s employees and authorized Providers) via email during Medfusion’s regular business hours, in accordance with Medfusion’s then-current technical support policies and (ii) Medfusion’s then-current online training. Client’s Providers and employees shall complete such training prior to their use of the Application Services. Upon Client’s request, Medfusion may provide additional technical support at Medfusion’s then-current hourly rates, subject to the execution of a mutually agreed-upon Service Order.
2.2 Security. Medfusion has implemented commercially reasonable security measures to prevent unauthorized access to computer hardware and other equipment and/or software possessed and used by Medfusion to provide the Application Services. Client shall be solely responsible for the security of Client’s operating environment.
2.3 MedFusion Application Changes. Medfusion may from time to time develop enhancements, upgrades, updates, improvements, modifications, extensions and other changes to the Application Services (“Medfusion Application Changes“). Client hereby authorizes Medfusion to implement such Medfusion Application Changes for use with the Application Services, provided that such Medfusion Application Changes do not have a material adverse effect on the functionality or performance of the Application Services. When commercially practicable, Medfusion shall notify Client in advance of the implementation of any material Medfusion Application Changes.
2.4 Cooperation; Access. Client acknowledges that the successful and timely rendering of the Services shall require the good faith cooperation of Client. Medfusion shall not be liable for any failure to perform the Services that arises from Client’s failure to cooperate with Medfusion.
2.5 Special Terms. The Application Services provided to Client shall be subject to any specific limitations set forth in the Service Order, including limitations on bandwidth and data storage.
3. USE OF THE APPLICATION SERVICES.
3.1 Medfusion License. Medfusion hereby grants to Client a nontransferable, non-exclusive license, during the Term, to allow Authorized Users to access and use, over public and private networks, the Application Services for Client’s medical practice and not for use by any third party practice. The number of Providers accessing the Application Services shall not exceed the number of Providers contracted for by Client, as indicated in the Service Order. Client shall notify Medfusion in writing in the event it wishes to increase the number of Providers who will have access to the Application Services. Upon receipt of such notice, Medfusion shall increase the number of Providers and the fees payable hereunder at Medfusion’s then-current rates. Client may, upon 90 days’ written notice, reduce the number of Providers by up to ten percent (10%) during the Initial Term or any Renewal Term of this Agreement.
3.2.1 Medfusion owns all right, title and interest in and to the Application Services and the Medfusion Application. The Application Services are provided to Client for use only as expressly set forth in this Agreement, and Client will not use the Application Services in whole or in part for any other use or purpose. Client will not, and will not allow any third party to (i) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques or algorithms of the Medfusion Application by any means, or disclose any of the foregoing; (ii) except as expressly set forth in this Agreement, provide, rent, lease, lend, or use the Medfusion Application for timesharing, subscription, or service bureau purposes; or (iii) sublicense, transfer or assign the Medfusion Application or any of the rights or licenses granted under this Agreement.
3.2.2 Client shall not use the Application Services for storage, possession, or transmission of any information, the possession, creation or transmission of which violates any state, local or federal law, including, without limitation, those laws regarding stolen materials, obscene materials or child pornography.
3.2.3 Client shall not transmit Content over the Application Services that infringes upon or misappropriates the intellectual property or privacy rights of any third party.
3.2.4 Client understands the Application Services stream-line the normal operations of a medical practice and that the Application Services are not designed for medical emergencies. Client agrees to inform its Patients that the Application Services are not designed for emergency use.
3.2.5 Medfusion and Client agree that only appropriately licensed Providers shall assess, diagnose, and recommend treatment for Patients. Client acknowledges and agrees that Medfusion is not engaged in the practice of medicine through the provision of the Services contemplated herein. Client shall take all actions required to ensure that Client’s and its Authorized Users’ use of the Application Services is in compliance with all applicable laws, rules, regulations and professional standards. Client shall be solely responsible for verifying the identity and authenticity of Authorized Users. Neither party shall interfere with, control, or otherwise influence the physician-patient relationship established between a Physician and a Patient. Client shall take all reasonable precautions to ensure that the Application Services are utilized by its Authorized Users in a manner consistent with applicable ethical and legal requirements. MEDFUSION SHALL HAVE NO OBLIGATION, RESPONSIBILITY OR LIABILITY FOR ANY PHYSICIAN’S PROVISION OF PROFESSIONAL SERVICES.
3.2.6 Nothing in this Agreement shall be construed as an offer for payment by one party to the other party or any Affiliate of the other party of any cash or other remuneration, whether directly or indirectly, overtly or covertly, for Patient referrals or for recommending or for arranging, purchasing, leasing or ordering any item or service.
3.3 Client Content. Client hereby grants to Medfusion a worldwide, non-exclusive, fully paid-up license to use, copy, modify, enhance, display, publish, distribute, create derivative works of and otherwise use the Content in any manner reasonably necessary to perform the Services. Client represents and warrants that it has all rights necessary to grant Medfusion the foregoing license. Client further represents and warrants that Client owns or all right, title and interest in and to the Content or has a license granting it the rights necessary to permit it to grant the foregoing license. If Client licenses any Content, it shall not provide such Content to Medfusion until it provides Medfusion with a copy of the license.
4.1 Fees. Client agrees to pay Medfusion for the performance of the Services in accordance with the rates and fees specified in the Service Order. Following the first anniversary of a Service Order, Medfusion may increase the rates and fees set forth in such Service Order upon notice to Client; provided, however, that such increases shall not be implemented more than once in any twelve (12) month period. Medfusion shall give Client notice of such increase prior to its effective date. Unless otherwise set forth in the Service Order, all payments shall be made in United States dollars no later than thirty (30) days after the date of invoice. All payments not received when due shall accrue interest at a rate per month of one and one-half percent (1.5%). Any failure to make timely payments hereunder shall be deemed to be a material breach of this Agreement and, upon such a default, Medfusion shall have the right to (a) suspend performance of any or all Services hereunder upon ten (10) days’ written notice to Client, (b) modify the payment terms, and/or (c) require full payment (including any accrued interest) before restarting its performance of any suspended Services.
4.2 The fees payable under this Agreement shall not include local, state or federal sales, use, value-added, excise or personal property or other similar taxes or duties now in force or enacted in the future imposed on the transaction and/or the delivery of the Services, all of which Client shall be responsible for and pay in full, except those taxes based on the net income of Medfusion.
5. TERM AND TERMINATION.
5.1 Term. Unless earlier terminated in accordance with its terms, each Service Order will have the initial term set forth in the Service Order (the “Initial Term“). Unless otherwise set forth in a Service Order, upon the expiration of each Initial Term, the term of a Service Order will renew automatically for additional terms (each, a “Renewal Term“, and together with the Initial Term, the “Term“), unless either a party notifies the other party, at least ninety (90) days prior to the end of the then-current Term that it has elected to terminate such Service Order, in which event such Service Order will terminate at the end of such Term. Each Renewal Term shall be of the same duration as the stated duration of the Initial Term. Unless earlier terminated in accordance with its terms, this Agreement will expire on the date the last Service Order then in effect expires or is terminated pursuant to the terms and conditions set forth in this Agreement.
5.2 Termination for Cause. Except as otherwise provided herein, either party may terminate this Agreement upon the material breach of the other party, if such breach remains uncured for thirty (30) days following written notice to the breaching party.
5.3 Effect of Termination. Upon the expiration or termination of this Agreement, Medfusion will terminate Client’s access to the Application Services and will cease the provision of all Services.
6. WARRANTIES; DISCLAIMER
6.1 Medfusion hereby warrants that, during the Term, the Application Services will perform, in all material respects, in accordance with their then-current published functional specifications. In the event of any failure of the Application Services to perform in a material respect to such specifications, Medfusion will, as Client’s sole and exclusive remedy for such failure, repair the applicable Application Service.
6.2 DISCLAIMER OF WARRANTIES. EXCEPT AS SET FORTH IN SECTION 6.1, MEDFUSION MAKES NO WARRANTIES REGARDING THE SERVICES, AND MEDFUSION HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, WITH RESPECT TO THE SERVICES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, COMPATIBILITY OR SECURITY. MEDFUSION DOES NOT WARRANT THAT ACCESS TO OR USE OF THE APPLICATION SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, THAT ALL DEFECTS AND ERRORS IN THE APPLICATION SERVICE WILL BE CORRECTED, OR THAT THE SERVICES WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. MEDFUSION DOES NOT PROVIDE ANY WARRANTIES REGARDING THE ACCURACY OF DATA OR INFORMATION PROVIDED BY THIRD PARTIES.
Medfusion and Client acknowledge and agree that (a) the provisions of this Section 6.2 and Section 9, below, allocate the risks under this Agreement between Medfusion and Client, and (b) Medfusion’s pricing for the Services reflects this allocation of risk and the limitation of liability specified herein and therein.
7.1 Infringement. Medfusion shall defend, indemnify and hold harmless Client, its subsidiaries, Affiliates, officers, directors, agents, employees and assigns, from and against any and all claims, suits, proceedings, losses, damages, liabilities, costs and expenses (including, without limitation, reasonable attorneys’ fees) (collectively, “Losses“) suffered or incurred by them in connection with a third party claim arising out of any actual or threatened claim that the Application Services infringes upon or misappropriates any copyright, patent, trademark, trade secret, or other proprietary or other rights of any third party. Medfusion shall have no obligation to indemnify Client to the extent the alleged infringement arises out of (i) the use of the Application Services in combination by Client with other data products, processes or materials not provided by Medfusion and such infringement would not have occurred but for Client’s combination; or (ii) the Content. Should the Application Services as used by Client become, or in Medfusion’s opinion be likely to become, the subject of an infringement claim, Medfusion shall at its option and sole expense either: (a) procure for Client the right to continue to use the Application Services as contemplated hereunder, or (b) modify the Application Services to eliminate any such claim that might result from its use hereun¬der, or (c) replace the Application Services with an equally suitable, compatible and functionally equivalent non-infringing Application Services at no additional charge to Client. If none of these options is reasonably available to Medfusion, then this Agreement may be terminated at the option of either party hereto without further obligation or liability on the part of either party hereto except that Medfusion agrees to promptly refund to Client the pro-rata portion of any fees prepaid by Client, amortized on a straight-line basis over the Term.
7.2 Client Indemnity. Client shall defend, indemnify and hold harmless Medfusion, its subsidiaries, Affiliates, officers, directors, agents, employees and assigns, from and against any and all Losses suffered or incurred by them in connection with a third party claim arising out of (i) a breach by Client of this Agreement, (ii) Client’s and/or its Authorized Users’ use of the Services, or (iii) Client’s and/or its Providers’ failure to comply with laws, rules, regulations or professional standards.
7.3 Mechanics of Indemnity. The indemnifying party’s obligations are conditioned upon the indemnified party: (i) giving the indemnifying party prompt written notice of any claim, action, suit or proceeding for which the indemnified party is seeking indemnity; (ii) granting control of the defense and, subject to the provisions of Section 7.4 below, settlement to the indemnifying party; and (iii) reasonably cooperating with the indemnifying party at the indemnifying party’s expense.
7.4 Settlement of Indemnified Claims. The indemnifying party
shall give prompt written notice to the indemnified party of any proposed settlement
of a indemnified claim. The indemnifying party may not, without the prior written
consent of the indemnified party, which the indemnified party shall not unreasonably
withhold, condition or delay, settle or compromise any claim or consent to the entry
of any judgment with respect to which indemnification is being sought hereunder
unless such settlement, compromise or consent: (a) includes an unconditional release
of the indemnified party from all liability arising out of such claim; (b) does not
contain any admission or statement suggesting any wrongdoing or liability on behalf
of indemnified party; and (c) does not contain any equitable order, judgment or term
(other than the fact of payment or the amount of such payment) that in any manner
affects, restrains or interferes with the business of the indemnified party.
8.1 Except as expressly permitted in this Section 8, no party will, without the prior written consent of the other party, disclose any Confidential Information of the other party to any third party. Information will be considered Confidential Information of a party if either (i) it is disclosed by the party to the other party in tangible form and is conspicuously marked “Confidential”, “Proprietary” or the like; or (ii) (a) it is disclosed by a party to the other party in non-tangible form and is identified as confidential at the time of disclosure; and (b) it contains the disclosing party’s customer lists, customer information, technical information, pricing information, pricing methodologies, or information regarding the disclosing party’s business planning or business operations. In addition, notwithstanding anything in this Agreement to the contrary, the terms of this Agreement will be deemed Confidential Information of Medfusion. Medfusion may, in any manner, publicly announce the relationship with Client. Medfusion may also develop, with Client’s review and approval, a business use case that may be used for Medfusion’s marketing purposes.
8.2 Other than the terms and conditions of this Agreement, information will not be deemed Confidential Information hereunder if such information: (i) is known to the receiving party prior to receipt from the disclosing party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (ii) becomes known (independently of disclosure by the disclosing party) to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; or (iv) is independently developed by the receiving party. In the event of a dispute, the receiving party shall have the burden of proving that one of the foregoing exceptions applies.
8.3 Each party will secure and protect the Confidential Information of the other party (including, without limitation, the terms and conditions of this Agreement) in a manner consistent with the steps taken to protect its own trade secrets and confidential information, but, in any event, not less than a commercially reasonable degree of care. Each party may disclose the other party’s Confidential Information where (i) the disclosure is required by applicable law or regulation or by an order of a court or other governmental body having jurisdiction after giving reasonable notice to the other party with adequate time for such other party to seek a protective order; (ii) in the opinion of counsel for such party, disclosure is advisable under any applicable securities laws regarding public disclosure of business information; or (iii) the disclosure is reasonably necessary and is to that party’s, or its Affiliates’, employees, officers, directors, attorneys, accountants and other advisors, or the disclosure is otherwise necessary for a party to exercise its rights and perform its obligations under this Agreement, so long as in all cases the disclosure is no broader than necessary and the person or entity who receives the disclosure agrees prior to receiving the disclosure to keep the information confidential. Each party is responsible for ensuring that any Confidential Information of the other party that the first party discloses pursuant to this Section 8 (other than disclosures pursuant to clauses (i) and (ii) above that cannot be kept confidential by the first party) is kept confidential by the person receiving the disclosure.
9. LIMITATIONS OF LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY
CONTAINED IN THIS AGREEMENT, MEDFUSION AND ITS SHAREHOLDERS, AFFILIATES,
DIRECTORS, OFFICERS, EMPLOYEES AND OTHER REPRESENTATIVES SHALL NOT BE LIABLE TO
CLIENT, AUTHORIZED USERS OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL,
EXEMPLARY, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING ANY DAMAGES FOR
BUSINESS INTERRUPTION, LOSS OF DATA, LOSS OF USE, ATTORNEYS’ FEES, LOST REVENUES
OR LOST PROFITS), WHETHER ARISING OUT OF BREACH OF CONTRACT, TORT (INCLUDING
NEGLIGENCE) OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE
AND WHETHER OR NOT MEDFUSION HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH
IN ANY EVENT, MEDFUSION’S AGGREGATE LIABILITY FOR DAMAGES, LOSSES, COSTS, AND EXPENSES ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, SHALL NOT EXCEED THE AMOUNTS RECEIVED BY MEDFUSION FROM CLIENT PURSUANT TO THIS AGREEMENT IN THE TWELVE MONTHS PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM. THE FOREGOING LIMITATIONS SHALL APPLY EVEN IF THE CLIENT’S REMEDIES UNDER THIS AGREEMENT FAIL OF THEIR ESSENTIAL PURPOSE.
10. GENERAL PROVISIONS.
10.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to the choice of law provisions thereof. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement. Any contract dispute or claim arising out of, or in connection with, this Agreement shall be finally settled by binding arbitration in Raleigh, North Carolina, in accordance with N.C. Gen. Stat. §1-569.1 et seq. (the “Revised Uniform Arbitration Act“) and the then current rules and procedures of the American Arbitration Association by one (1) arbitrator appointed by the American Arbitration Association. The arbitrator shall apply the law of the State of North Carolina, without reference to rules of conflict of law or statutory rules of arbitration, to the merits of any dispute or claim. Judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. In the event that any arbitration, action or proceeding is brought in connection with this Agreement, the prevailing party shall be entitled to recover its costs and reasonable attorneys’ fees in accordance with N.C. Gen. Stat. §6-21.6. Notwithstanding the foregoing, nothing herein shall preclude either party from seeking injunctive relief in any state or federal court of competent jurisdiction without first complying with the arbitration provisions of this Section.
10.2 Severability. If any provision of this Agreement is held to be invalid or unenforceable for any reason, it shall be deemed omitted and the remaining provisions will continue in full force without being impaired or invalidated in any way. The parties agree to replace any invalid provision with a valid provision that most closely approximates the intent and economic effect of the invalid provision.
10.3 Waiver. The waiver by either party of a breach of any provision of this Agreement will not operate or be interpreted as a waiver of any other or subsequent breach.
10.4 Assignment. This Agreement shall be binding upon the parties’ respective successors and permitted assigns. Client shall not assign this Agreement, and/or any of its rights and obligations hereunder, without the prior written consent of Medfusion, which consent shall not be unreasonably withheld. This Agreement, and the rights and obligations herein, may be assigned by Medfusion to any person or entity without the written consent of the Client.
10.5 Independent Contractors. Medfusion is acting in performance of this Agreement as an independent contractor, and this Agreement shall not be construed to create any association, partnership, joint venture, employee or agency relationship between Medfusion and Client for any purpose.
10.6 Strategic Relationships. Medfusion may enter into strategic relationships with third parties that may benefit Client by increasing Patient requests. In such an event, Medfusion shall be permitted to place appropriate links, icons or displays within the Medfusion Application that is accessed as part of the Application Services. Although Medfusion may include links providing direct access to third-party Internet sites as a convenience, the inclusion of a link does not imply endorsement of the linked site by Medfusion. Medfusion does not take responsibility for the content or information contained on such third-party sites, and does not exert any editorial or other control over such third-party sites. Medfusion does not take responsibility for the privacy policies and practices of such third-party links.
10.7 Notices. All notices required to be given under the terms of this Agreement or which any of the parties hereto may desire to give hereunder, shall be in writing, shall be delivered via one of the following methods, and shall be deemed to have been received: (i) on the day given delivered by hand (securing a receipt evidencing such delivery); or (ii) on the second day after such notice is sent by a nationally recognized overnight or two (2) day air courier service, full delivery cost paid; or (iii) on the fifth day after such notice was mailed, registered U.S. mail, postage prepaid, return receipt requested, and addressed to the party to be notified at the address set forth for such party in the Service Order.
10.8 Survival. All provisions of this Agreement relating to proprietary rights, payment of fees accrued, confidentiality and non-disclosure, indemnification and limitation of liability shall survive the completion of the Services or any termination or expiration of this Agreement.
10.9 Legal Fees. In the event of any proceeding or lawsuit brought by MedFusion or Client in connection with this Agreement, the prevailing party shall be entitled to recover its costs and legal fees (including, but not limited to, allocated costs of in-house legal counsel) in accordance with N.C. Gen. Stat. §6-21.6.
10.10 Force Majeure. Neither party will be liable to the other for failure to meet its obligations under this Agreement where such failure is caused by events beyond its reasonable control, such as fire, failure of communications networks, riots, civil disturbances, embargos, storms, acts of terrorism, pestilence, war, floods, tsunamis, earthquakes or other acts of God.
10.11 Subsequent Modifications. No amendment, alteration or modification of this Agreement shall be effective or binding unless it is set forth in a writing signed by duly authorized representatives of both parties.
10.12 Entire Agreement. This Agreement constitutes the entire agreement between the parties in connection with the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, of the parties, and there are no warranties, representations and/or agreements among the parties in conjunction with the subject matter hereof except as set forth in this Agreement.
10.13 Electronic Signatures. The execution of a Service Order by electronic mail or by any other electronic means shall be deemed to constitute effective execution of this Agreement as to the parties hereto. Such electronic signatures may be used by the parties in lieu of the original signature page of the applicable Service Order for any and all purposes. Additionally, any signatures of the parties to a Service Order that are transmitted to the other party by facsimile shall be deemed original signatures for all purposes.
BUSINESS ASSOCIATE AGREEMENT AMENDED AND RESTATED
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 C.F.R. Parts 160 and 164, subparts C, D, and E (the “HIPAA Security Rule”, “HIPAA Breach Notice Rule”, and “HIPAA Privacy Rule”, respectively); and
WHEREAS, the American Recovery and Reinvestment Act (“ARRA”) of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security, Breach Notice and Privacy Rules (hereinafter, all references to the HIPAA Security Rule, Breach Notice Rule or Privacy Rule are deemed to include all amendments to such rules contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, the Parties wish to enter into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in HIPAA or the HIPAA Security Rule, Breach Notice Rule or Privacy Rule; and
WHEREAS, Business Associate may have access to Protected Health Information as defined below, in fulfilling its responsibilities under such arrangement; and
If a Service Order (as defined in the Terms set forth above) entered into under a Services Agreement between Medfusion and the client thereto provides that such Service Order is subject to Medfusion’s standard Terms and Conditions, then Medfusion (“Business Associate”), and such client (the “Covered Entity”) (each a “Party” and, collectively, the “Parties”) hereby agree to the terms and conditions of this Business Associate Agreement (this “Business Associate Agreement”).
Terms used but not otherwise defined in this Business Associate Agreement shall have the same meaning as the meaning ascribed to those terms in the HIPAA and HITECH, and any current and future regulations promulgated under HIPAA or HITECH.
1.1 “Breach” shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the “Privacy Rule” which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:
(a) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
(b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or
(c) A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
1.2 “Designated Record Set” means a group of records maintained by or for a Covered Entity that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Covered Entity to make decisions about Individuals.
1.3 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Rule.
1.4 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.5 “Individually Identifiable Information” means information that is a subset of health information, including demographic information collected from an individual, and:
(a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
(b) relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.6 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Covered Entity including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined above. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Business Associate Agreement.
1.7 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
1.8 “Unsecured Protected Health Information” or “Unsecured PHI” shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in the HIPAA Breach Notice Rule.
Obligations of Business Associate
2.1 General Use or Disclosure of PHI. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity, if such use or disclosure would not violate HIPAA if done by Covered Entity.
2.2 Limited Use or Disclosure of PHI. Business Associate will not sell PHI, receive any form of remuneration in exchange for PHI, or use or disclose PHI for marketing or fund raising purposes without valid authorization. In addition, Business Associate will not use or further disclose Protected Health Information for any purpose other than:
(a) to perform the services agreed to by the Parties;
(b) for the proper management and administration of Business Associate or in accordance with its legal responsibilities, provided that for any such disclosure:
(i) the disclosure is required by law; or
(ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
(c) to provide data aggregation services relating to health care operations of Covered Entity (for purposes of this Business Associate Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities);
(d) to report violations of the law to law enforcement; or
(e) to create de-identified information consistent with the standards set forth at 45 C.F.R. § 164.514 (resulting de-identified information shall not be subject to the terms of this Business Associate Agreement).
2.3 Subcontractors. Business Associate agrees to take reasonable measures to ensure that any subcontractor to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of such Protected Health Information.
2.4 Safeguards. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity and comply with applicable provisions of the HIPAA Security Rule.
2.5 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Unsecured Protected Health Information by Business Associate in violation of this Business Associate Agreement.
2.6 Compliance. Business Associate will comply with all applicable requirements of the HIPPA Privacy Rule, including those contained in 45 C.F.R. §§ 164.502(e) and 164.504(e)(1)(ii). To the extent Business Associate performs any of Covered Entity’s obligations under the HIPAA Privacy Rule, Business Associate will comply with the requirements of the HIPAA Privacy Rule that apply to Covered Entity in the performance of those obligations. C.F.R..
2.7 Notice of Use or Disclosure, Security Incident or Breach. (a) Business Associate agrees to notify the designated Privacy Officer of Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. § 164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of Breach. Business Associate shall provide the following information in such notice to Covered Entity, to the extent such information is available:
(i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;
(ii) a description of the nature of the Breach including the types of Unsecured PHI that were involved, the date of the Breach and the date of discovery;
(iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);
(iv) the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;
(v) a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and
(vi) any other details available to Business Associate that may be necessary for Covered Entity to comply with the HIPAA Breach Notice Rule.
(b) Covered Entity will be responsible for providing notification to Individuals whose Unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HIPAA Breach Notice Rule. In the event that a Breach of Unsecured PHI, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity’s Breach analysis procedures, including risk assessment and determination of the extent of access of such Unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then current rates.
(c) The Parties agree that this section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Business Associate Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.
2.8 Access. Business Associate agrees to provide access, at the request of Covered Entity, and in a time and manner mutually agreed upon by Covered Entity and Business Associate, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual. Business Associate may charge Covered Entity or Individual for the actual labor cost involved in providing such access. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by 45 C.F.R. § 164.524. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the Covered Entity or the applicable Individual, as directed by Covered Entity.
2.9 Restrictions. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to 45 C.F.R. § 164.522 of the HIPAA Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity in writing, unless otherwise required by law or for emergency purposes.
2.10 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set in accordance with 45 C.F.R. § 164.526 that Covered Entity directs or agrees to implement, upon written request of Covered Entity.
2.11 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary in a time and manner designated by the Secretary, for the purposes of the Secretary in determining the Parties’ compliance with HIPAA and any corresponding regulations.
2.12 Accounting. Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by 45 C.F.R. § 164.528. The accounting shall be made within a reasonable amount of time, mutually agreed upon by Covered Entity and Business Associate, upon receipt of a written request from Covered Entity.
2.13 Minimum Necessary. Business Associate agrees to limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
Obligations of Covered Entity
3.1 Notice of Privacy Practices of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.
3.2 Restrictions in Use of PHI. Covered Entity shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information to which Covered Entity has agreed, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
3.3 Changes in the Use of PHI. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate’s use or disclosure of PHI.
3.4 Appropriate Requests. Except as otherwise provided in this Business Associate Agreement, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.
3.5 Minimum Necessary, Covered Entity shall disclose only the minimum amount of PHI necessary for Business Associate to provide the services and will assist Business Associate in meeting the minimum necessary principle as required by HIPAA and this Business Associate Agreement.
3.6 Consents. Covered Entity shall obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Covered Entity.
Term and Termination
4.1 Term. The Term of this Business Associate Agreement shall be effective as of the Effective Date and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.
4.2 Termination for Cause. Upon either Party’s determination that the other Party has committed a material breach of this Business Associate Agreement, the non- breaching Party may take one of the following steps:
(a) Provide an opportunity for the breaching Party to cure the material breach or end the violation, and if the breaching Party does not cure the material breach or end the violation within a reasonable time to be mutually agreed upon by the Parties, terminate this Business Associate Agreement; or
(b) Immediately terminate this Business Associate Agreement if the other Party has committed a material breach of this Agreement and cure of the material breach is not possible.
4.3 Disposition of PHI upon Termination or upon Request.
(a) Upon termination of this Business Associate Agreement, for any reason, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate shall return or destroy all Protected Health Information created or received by Business Associate on behalf of Covered Entity which Business Associate still maintains in any form and retain no copies of such information. This provision shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate.
(b) It may not be feasible for Business Associate to return or destroy all copies of customer data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this Business Associate Agreement to the information and limit further uses and disclosures solely to those purposes as originally intended under this Business Associate Agreement that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
5.1 No Third Parties; Survival. Except as expressly stated herein or within HIPAA, the Parties to this Business Associate Agreement do not intend to create any rights in any third parties. The respective rights and obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Business Associate Agreement, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
5.2 Amendment. The Parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time as is necessary for the Parties to comply with the requirements of HIPAA and any other applicable regulations.
5.3 Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
5.4 Prior Agreement.This Business Associate Agreement shall replace and supersede any prior Business Associate Agreement between the Parties.
5.5 Notices. Except as otherwise specified herein, all notices, demands or communications required under this Business Associate Agreement shall be in writing and delivered personally, or sent either by U.S. certified mail, postage prepaid return receipt requested, or by overnight delivery air courier (e.g., Federal Express) to the Parties at their respective addresses set forth above in this Business Associate Agreement. All such notices, requests, demands, or communications shall be deemed effective immediately upon receipt.
5.6 Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law. This Business Associate Agreement is the entire agreement between the Parties in connection with the subject matter herein and this Business Associate Agreement may be amended or modified only in a writing signed by the Parties. Either Party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Business Associate Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Business Associate Agreement. Any assignment of this Business Associate Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Business Associate Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Business Associate Agreement and any other agreements between the Parties evidencing their business relationship. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Business Associate Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Business Associate Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Business Associate Agreement fails to comply with the then-current requirements of HIPAA, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Business Associate Agreement, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with HIPAA, then either Party has the right to terminate upon written notice to the other Party.
NOTICE TO SERVICE USERS WHO REGISTERED PRIOR TO AUGUST 19, 2013:
These Terms of Service were amended, effective as of August 19, 2013, to reflect Intuit, Inc.’s divestiture of Medfusion, Inc. on such date. From and after that date, Medfusion, Inc. has been owned and operated independently of Intuit, Inc. Accordingly, all references to “Intuit,” “Intuit Health” and similar names in the previous version of these Terms of Service have been replaced with references to “Medfusion” , “Medfusion, Inc.” or similar references. Because Medfusion, Inc. is headquartered in Cary, North Carolina, the governing law, venue and jurisdiction provisions of these Terms of Service have been updated to reflect North Carolina law, the state courts located in Wake County, North Carolina, and the federal courts located in the Eastern District of North Carolina. Finally, the contact address for any privacy-related questions has been updated to read as follows: Medfusion, Inc., 5501 Dillard Dr., Cary, NC 27518.
Last updated 02/20/12