DDX Terms of Use

1. SCOPE

These Terms of Use apply to the entire DDX web site and technology platform, which enables participating practices and laboratories to communicate digitally and all portions of the site contained therein (excluding links to other web sites as provided below) (the "DDX Services"). These Terms of Use shall apply to any future portions of the DDX Services (excluding links to other Web sites as provided below) unless otherwise stated. Under these Terms of Use, Henry Schein Practice Solutions Inc. ("HSPS," "we" or "our") offers the user ("you," "your" or "user") the ability to use the DDX Services and the features and functionalities associated therewith.

2. USE OF THE DDX SERVICES

Use of the DDX Services and access to the material it contains is subject to the following Terms of Use as well as to applicable laws. Your access to and browsing or use of this site constitutes your full acceptance of these Terms of Use. You agree that these Terms of Use including the exhibit is enforceable by HSPS like any written negotiated agreement signed by you. We reserve the right, at our sole discretion, to update or revise these Terms of Use. Please check the Terms of Use periodically for changes. Your continued use of this site following the posting of any changes to the Terms of Use constitutes acceptance of those changes.

You may scroll down to review all of these Terms of Use, and you may print it out as enabled by your browser. You hereby declare that you are the person or entity using the DDX Services. If you are not accepting these Terms of Use on your own behalf, you warrant that you are legally authorized to agree to them on behalf of the entity or individual described in the registration form and that your actions will legally bind that entity or individual.

3. GRANT OF LICENSE AND RESTRICTIONS

The DDX Services are the exclusive property of HSPS or its licensors. All rights not granted herein are reserved by HSPS and its licensors. Subject to these Terms of Use, we hereby grant you a non-exclusive, non-transferable, non-sublicensable, limited license to use the DDX Services for your own internal business purposes. We reserve the right to suspend or deny, in our sole discretion, your access to all or any portion of the DDX Services. Nothing in these Terms of Use shall be construed as an implied grant of any right, and you shall not, and shall not permit any third party to (i) rent, loan, lease or sublicense the DDX Services or any portion thereof; (ii) decompile, disassemble, or otherwise reverse engineer or attempt to deconstruct or discover any source code or underlying ideas or algorithms of the DDX Services by any means whatsoever; (iii) use, copy, modify, merge, or transfer copies of the DDX Services, or any portion thereof, except as provided for in these Terms of Use; (iv) use or reproduce any of the DDX Services in source code format; (v) distribute or disclose to, or allow use of the DDX Services, or any portion thereof, in any format through any timesharing service, service bureau or network or by any other means by, any other third party other than your personnel; or (vi) modify or alter the DDX Services, or any portion thereof, in any manner whatsoever.

4. TERMINATION

HSPS may terminate these Terms of Use at any time. Upon termination, HSPS shall invoice you for all fees due for the entire term, and you shall pay such amount immediately upon receipt of invoice. In the event of any termination or cancellation of these Terms of Use, this section and Sections 5, 10 through 16 and 18 through 27 shall survive.

5. PROPRIETARY RIGHTS

You acknowledge that HSPS or its licensors are the exclusive owner of all right, title and interest in the DDX Services further acknowledge that HSPS or its licensors are the owners and holders of all copyright, patent, trademark, trade names, services marks, designations, trade secret and other proprietary rights therein (collectively, "Proprietary Rights"), and reserves all such Proprietary Rights to itself except as expressly licensed to you hereunder. To the extent that any Proprietary Rights do not otherwise vest in HSPS, you hereby assign all such Proprietary Rights to HSPS, and agree to do all other acts reasonably necessary to perfect HSPS’s ownership thereof, without any additional consideration of any kind.

Your Information. We reserve the right, and you authorize us, to use and freely assign all information regarding the use of this site by you and all information provided by you in any manner consistent with our Privacy Statement. Click here to read our Privacy Statement, which is incorporated into these Terms of Use by reference.

HSPS does not claim any ownership rights in any information, data, photographs, x-rays, digital images or other materials you originate and upload, transmit or otherwise make available through the DDX Services ("User Content"). You continue to retain any ownership rights you have in such User Content. To the extent that HSPS provides you with an opportunity to post, store and exchange User Content, you agree to and hereby do grant, and you represent and warrant that you have the right to grant, HSPS, its contractors, and the users of the DDX Services to which such User Content is transmitted an irrevocable, perpetual, non-exclusive, royalty-free, fully sublicensable, fully paid up, worldwide license to: (i) use, copy, display and distribute such User Content and to prepare derivative works of, or incorporate into other works, such User Content solely in order to manage the DDX Services and business, provide customer service and related problem solving services to you; and (ii) use, compile and aggregate de-identified User Content and data derived therefrom for commercial purposes.

You are responsible for ensuring the privacy of your own User Content. HSPS uses industry standard security measures to protect the loss, misuse and alteration of the User Content you provide. Although we make good faith efforts to store the User Content provided by members in a secure operating environment that is not available to the public, HSPS cannot guarantee complete security. Further, while HSPS makes every effort to ensure the integrity and security of its systems, HSPS cannot guarantee that its security measures will prevent third-party "hackers" from illegally accessing the User Content or your personal information. With respect to individually identifiably health information exchanged through your use of the DDX Services, the parties agree to comply with the provisions of the Business Associate Agreement attached hereto as Exhibit A and deemed incorporate herein by reference and made a part hereof.

6. NO UNLAWFUL OR PROHIBITED USE

As a condition of your use of the DDX Services, you will not use this site for any purpose that is unlawful or prohibited by these Terms of Use. You may not use this site in any manner that could damage, disable, overburden, or impair any HSPS server, or the network(s) connected to any HSPS server, or interfere with any other party\'s use and enjoyment of the services. You may not attempt to gain unauthorized access to any computer systems or networks connected to any HSPS server or other systems, through hacking, password mining or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through this site. HSPS makes no representation that the DDX Services, this site, or its contents are appropriate or available for use in locations outside the United States, and accessing the DDX Services from territories where such content is illegal is prohibited. Your access and use of the DDX Services is at your own initiative and risk and you are responsible for compliance with all applicable local laws, keeping in mind that access to the DDX Services may not be legal by certain persons or in certain jurisdictions.

7. NO UNLAWFUL OR PROHIBITED USE

You are responsible for maintaining the confidentiality of your logon information, and are fully responsible for all activities that occur under your password or user name. You agree (a) to immediately notify HSPS of any unauthorized use of your password or user name or any other breach of security, and (b) to ensure that you exit from your account at the end of each session. We will not be liable for any loss that you may incur as a result of someone else using your password or user name, either with or without your knowledge. However, you could be held liable for losses incurred by us or another party due to someone else using your password or user name. You may not use anyone else\'s password or user name at any time without their permission.

8. LINKS TO OTHER WEB SITES, CONTENT, PRODUCTS AND SERVICES

The DDX Services may contain links to other Web sites, or provide access to content, products and services, not owned or managed by HSPS or its affiliates. HSPS provides such links solely for the convenience of our visitors. HSPS is not responsible for the accuracy, legal or regulatory compliance, decency, or any other aspect of the content of such sites, and such sites are not investigated, monitored, or checked for accuracy or completeness by HSPS. The inclusion of links to such sites does not imply the approval, recommendation or endorsement of the site by HSPS or any association of HSPS with the operators of such sites. We urge you to read the terms of use policies on linked Web sites before utilizing their products or services as HSPS is not responsible for these areas.

9. TYPOGRAPHICAL OR OTHER ERRORS

While HSPS takes reasonable care and skill to provide information which is accurate and up to date when first included on this site, typographical, technical and other errors may nevertheless occur. HSPS does not undertake to update or correct such information and reserves the right to modify, delete and rearrange any or all of the contents of the DDX Services and the Web site at any time without notice to you. While HSPS makes reasonable efforts to prevent unauthorized tampering with the DDX Services, HSPS does not guarantee that its efforts will always be successful. Therefore, as set below, HSPS does not warrant that the DDX Services, this site or the materials provided hereon will be error-free, and disclaims any liability for such errors.

10. CONFIDENTIAL INFORMATION

The parties agree that these Terms of Use and other materials of a confidential and proprietary nature, including any confidential business, technical, financial or other information disclosed by one party to the other under these Terms of Use (\"Confidential Information\") is the Confidential Information of the disclosing party. Each party agrees that it shall not use the Confidential Information of the other party for any purpose not expressly permitted by these Terms of Use, and that it shall hold in confidence and shall not disclose to any third party such Confidential Information, and shall similarly bind its personnel. A party shall not be obligated under this section with respect to information that it can document: (i) is or has become readily publicly available without restriction through no fault of such party of its personnel, (ii) is received, without restriction, from a third party lawfully in possession of such information and lawfully empowered to disclose such information, or (iii) was rightfully in such party’s possession without restriction prior to its disclosure by the other party.

11. DISCLAIMER OF WARRANTIES

THE DDX SERVICES AND SITE AND ALL RELATED MATERIALS, INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN THE SITE OR AVAILABLE UNDER THESE TERMS OF USE (THE "CONTENT") ARE PROVIDED "AS IS" AND "AS AVAILABLE" FOR YOUR USE, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE. HSPS SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES WITH RESPECT TO THE CONTENT.

HSPS MAKES NO REPRESENTATION AS TO THE ACCURACY, CORRECTNESS, TIMELINESS, COMPLETENESS, RELIABILITY OR SUITABILITY OF THE CONTENT OR ANY SOFTWARE INSTALLED BY YOU IN CONNECTION WITH THE USE OF THIS CONTENT. HSPS PERIODICALLY AMENDS, CHANGES, ADDS, DELETES, UPDATES OR ALTERS THE INFORMATION, INCLUDING, THESE TERMS OF USE, AVAILABLE AT THIS SITE WITHOUT NOTICE. FURTHER, HSPS ASSUMES NO LIABILITY OR RESPONSIBILITY FOR ANY ERRORS, OMISSIONS OR INTERRUPTIONS IN THE CONTENT OR ANY SOFTWARE INSTALLED BY YOU IN CONNECTION WITH THE USE THE CONTENT. HSPS SPECIFICALLY DISCLAIMS ANY DUTY TO UPDATE THE CONTENT AND THE INFORMATION AVAILABLE AT THIS SITE. YOU ARE RESPONSIBLE FOR VERIFYING ALL INFORMATION AND CONTENT LOCATED ON THIS SITE. Some states or nations may not allow the disclaimer of certain warranties, so the above limitations may not apply to you in all cases.

12. DISCLAIMER OF THIRD PARTY ACTIVITIES

ACCESS TO THIS SITE AND THE CONTENT MAY REQUIRE THE USE OF SERVICES AND FACILITIES OF THIRD PARTIES, INCLUDING FACILITIES USED IN THE TRANSMISSION OF DATA OVER, AND THE AVAILABILITY OF DATA ON, THE INTERNET, WHICH SERVICES AND FACILITIES ARE NOT UNDER THE CONTROL OF HSPS ("THIRD PARTY SERVICES"). AT TIMES, ACTIONS OR INACTIONS OF ENTITIES CONTROLLING SUCH THIRD PARTY SERVICES MAY DISRUPT OR PREVENT COMMUNICATIONS, INCLUDING OVER THE INTERNET (OR PORTIONS THEREOF). HSPS DOES NOT GUARANTEE THAT SUCH EVENTS WILL NOT OCCUR. HSPS DISCLAIMS ANY AND ALL LIABILITY RESULTING FROM OR RELATED TO THIRD PARTY SERVICES AND SUCH EVENTS.

13. LIMITATION OF LIABILITY

Use of the DDX Services, this Web site, the Content or any software application installed by you in connection with the use of this Web site, is at your sole risk. IN NO EVENT SHALL HSPS OR ANY OTHER PARTY INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE DDX SERVICES, THE CONTENT OF THIS SITE OR ANY SOFTWARE APPLICATION ASSOCIATED WITH THIS SITE BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, COMPUTER VIRUS OR SYSTEM FAILURE, OR LOSS OF DATA OR PROFITS, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE DDX SERVICES, THIS SITE (OR THE CONTENT PROVIDED AT THIS SITE OR ANY WEB SITE RELATED TO ANY THIRD PARTY), OR ANY SOFTWARE APPLICATION INSTALLED IN CONNECTION WITH THE USE OF THIS SITE OR USERS' INABILITY TO USE THE CONTENT CONTAINED IN THIS SITE (OR ANY OTHER WEB SITE), ON ANY THEORY OF LIABILITY. HSPS WILL NOT BE LIABLE OR RESPONSIBLE FOR ANY LOSS OR DAMAGE CAUSED BY OR ARISING FROM YOUR RELIANCE ON THE DDX SERVICES, THIS SITE OR THE CONTENT. THESE WAIVERS APPLY EVEN IF HSPS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL HSPS’ OR HENRY SCHEIN, INC.’S LIABILITY TO YOU FOR ANY DAMAGES, LOSSES, OR CAUSES OF ACTION (WHETHER IN CONTRACT OR TORT, INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE OR OTHERWISE) EXCEED THE AMOUNT, IF ANY, PAID BY YOU TO HSPS SPECIFICALLY FOR ACCESSING THE DDX SERVICES DURING THE PRECEEDING THREE-MONTH PERIOD. THE FOREGOING LIMITATIONS WILL APPLY EVEN IF ANY REMEDY PROVIDED UNDER THESE TERMS OF USE FAILS OF ITS ESSENTIAL PURPOSE. Some states do not allow the exclusion of liability for consequential damages, so the above limitations may not apply to you in all cases.

14. DISPUTES

If there is a dispute between users of the DDX Services or between users of the DDX Services and any third party, you understand and agree that HSPS is under no obligation to become involved. In the event that you have such a dispute, you hereby release HSPS, Henry Schein, Inc. and their respective officers, employees, agents and successors in rights from claims, demands and damages (actual and consequential) of every kind or nature, known or unknown, suspected and unsuspected, disclosed and undisclosed, arising out of or in any way related to such disputes and/or the DDX Services. If you are a California resident, you waive California Civil Code Section 1542, which says "A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor."

15. FORWARD LOOKING STATEMENTS

THE CONTENT TOGETHER WITH ANY DOCUMENTS ISSUED BY HSPS OR ANY OF ITS AFFILIATES, SERVICE PROVIDERS, OR BUSINESS PARTNERS AND AVAILABLE THROUGH HSPS' WEB SITES MAY CONTAIN FORWARD-LOOKING STATEMENTS WITHIN THE MEANING OF THE U.S. PRIVATE SECURITIES LITIGATION REFORM ACT OF 1995. THOSE STATEMENTS MAY APPEAR IN A NUMBER OF PLACES IN THE SITE AND CAN BE IDENTIFIED BY THE USE OF FORWARD-LOOKING TERMINOLOGY SUCH AS \"MAY,\" \"COULD,\" \"EXPECT,\" \"ANTICIPATE,\" \"INTEND,\" \"BELIEVE,\" \"PLAN,\" \"ESTIMATE,\" \"FORECAST,\" \"PROJECT,\" OR OTHER COMPARABLE TERMS OR THE NEGATIVE THEREOF. HSPS PROVIDES THE FOLLOWING CAUTIONARY REMARKS REGARDING IMPORTANT FACTORS WHICH, AMONG OTHERS, COULD CAUSE FUTURE RESULTS TO DIFFER MATERIALLY FROM THE FORWARD-LOOKING STATEMENTS, EXPECTATIONS AND ASSUMPTIONS EXPRESSED OR IMPLIED HEREIN. THE FORWARD-LOOKING STATEMENTS INCLUDED HEREIN ARE BASED ON THEN-CURRENT EXPECTATIONS OF MANAGEMENT. ALL FORWARD-LOOKING STATEMENTS MADE BY US ARE SUBJECT TO RISKS AND UNCERTAINTIES AND ARE NOT GUARANTIES OF FUTURE PERFORMANCE. FORWARD-LOOKING STATEMENTS INVOLVE KNOWN AND UNKNOWN FACTORS, RISKS AND UNCERTAINTIES THAT MAY CAUSE OUR ACTUAL RESULTS, PERFORMANCE AND ACHIEVEMENTS, OR INDUSTRY RESULTS, TO BE MATERIALLY DIFFERENT FROM ANY FUTURE RESULTS, PERFORMANCE, OR ACHIEVEMENTS EXPRESSED OR IMPLIED BY SUCH FORWARD-LOOKING STATEMENTS. THOSE FACTORS, RISKS AND UNCERTAINTIES INCLUDE, BUT ARE NOT LIMITED TO, THE FACTORS DESCRIBED UNDER \"RISK FACTORS\" DISCUSSED IN HENRY SCHEIN, INC.'s PERIODIC FILINGS MADE WITH THE SECURITIES AND EXCHANGE COMMISSION. WE CAUTION YOU THAT THAT THESE FACTORS MAY NOT BE EXHAUSTIVE AND THAT MANY OF THESE FACTORS ARE BEYOND OUR ABILITY TO CONTROL OR PREDICT. ACCORDINGLY, FORWARD-LOOKING STATEMENTS SHOULD NOT BE RELIED UPON AS A PREDICTION OF ACTUAL RESULTS. NEITHER HENRY SCHEIN, INC. NOR HSPS UNDERTAKE ANY DUTY OR HAVE ANY OBLIGATION TO UPDATE FORWARD-LOOKING STATEMENTS.

16. INDEMNIFICATION BY USER

You agree to defend, indemnify, and hold harmless Henry Schein, Inc. and HSPS and their affiliates, parents, subsidiaries, and respective employees, agents, contractors, officers, directors, successors and assigns from all liabilities, claims, damages and expenses, including without limitation attorneys' fees and costs, that arise from your: (i) breach of these Terms of Use, or (ii) use or misuse of the DDX Services, this site or any information contained thereon or your use of any software application associated with the use of this site. You agree to seek and obtain our written permission before agreeing to settle any claim.

17. TERMINATION

Notwithstanding anything to the contrary, HSPS shall have the right immediately to terminate this agreement with you and your use of the DDX Services and this site if it determines in its sole discretion that you have breached any of these Terms of Use or otherwise been engaged in conduct which HSPS determines in its sole discretion to be unacceptable.

18. CHOICE OF LAW AND FORUM

These Terms of Use shall be governed by and construed in accordance with the laws of the State of Utah, without regard to such state\'s rules regarding conflicts of laws. By accessing the DDX Services, you agree that courts located in Utah shall have exclusive jurisdiction over all claims and actions arising out of or relating to these Terms of Use and/or your use of the DDX Services, and you further agree and submit to the exercise of personal jurisdiction of such courts and consent to extra-territorial service of process for the purpose of litigating any such claim or action.

19. RECORDS

A printed version of these Terms of Use and of any notice given in electronic form will be admissible in judicial or administrative proceedings relating to these Terms of Use to the same extent and subject to the same conditions as other business documents originally generated and maintained in printed form. For purposes of any dispute, HSPS\' records shall be conclusive in all respects.

20. INTEGRATION, SEVERABILITY AND WAIVER

These Terms of Use (as any such terms that may be updated by HSPS from time to time) and the DDX License Agreement and Services (if applicable) constitutes the entire agreement between you and HSPS with respect to the DDX Services and supersede all prior or contemporaneous communications and proposals (whether oral, written, or electronic) between you and HSPS with respect to this site. If any part of these Terms of Use is held invalid or unenforceable, that portion shall be construed in a manner consistent with applicable law to reflect, as nearly as possible, the original intentions of the parties, and the remaining portions shall remain in full force and effect. The failure of HSPS to exercise or enforce any right or provision of these Terms of Use shall not constitute a waiver of such right or provision. You agree that regardless of any statue or law to the contrary, any claim or cause of action arising out of or related to the use of the DDX Services, this site or the content or any software application installed by you in connection with the use of this Web site must be filed within one year after such claim or cause of action arose or be forever barred.

21. Notices

Except as otherwise provided, all notices given under these Term of Use shall be in writing and shall be deemed to have been duly given upon receipt if delivered by hand or facsimile transmission with receipt confirmed, three days after mailing by certified or registered mail, and one day after sending by overnight courier, to the parties’ respective addresses. All notices give to HSPS under this Agreement shall be sent with a copy to Henry Schein, Inc., 135 Duryea Road, Melville, New York 11747, Attn: General Counsel, Fax (631) 843-5660.

22. No Joint Venture

Nothing in these Terms of Use shall be construed to create, constitute, give effect to or otherwise imply a joint venture, partnership, agency or employment relationship of any kind between the parties. Neither party nor its respective representatives, employees or agents may make representations or agreements that are binding upon the other party.

23. Assignment

You shall not have the right to assign (by operation of law or otherwise) these Terms of Use without the prior written consent of HSPS. Except as otherwise provided herein, these Terms of Use shall be binding

24. Force Majeure

HSPS shall have no liability for delays, failure in performance or damages (other than obligations regarding payment of money or confidentiality) due to: fire, explosion, lightning, pest damage, power surges or failures, strikes or disputes, water, acts of God, the elements, war, civil disturbances, acts of military authorities or the public enemy, inability to secure raw material, transportation facilities, fuel or energy shortages, acts or omissions of communications carriers, or other causes beyond HSPS’s control, whether or not similar to the foregoing.

25. Remedies

Due to the fact that the disclosing party could not be adequately compensated by money damages in the event of the receiving party’s breach of any of the confidentiality provisions of this Agreement, the disclosing party shall be entitled, in addition to any other right or available remedy, to an injunction or other equitable relief restraining such breach or any threatened breach.

26. NO PUBLICITY

HSPS shall be entitled to disclose and publicize, in the form of customer lists, marketing materials and otherwise, your identity as a client of HSPS and display your logo on its web site. Neither party shall issue a general press release naming the other party or regarding the existence of these Terms of Use, without the prior written consent of the other party; provided, however, that either party may, without such consent, make any press release or other public announcement as required by law.

27. SECTION HEADINGS

The headings contained in these Terms of Use are for convenience of reference only and are not intended to have any substantive significance in interpreting these Terms of Use.

EXHIBIT A

Henry Schein Practice Solutions Business Associates Agreement

(PRIVACY AND SECURITY OF HEALTH INFORMATION)

This BUSINESS ASSOCIATE AGREEMENT ("Agreement") is entered into between Henry Schein Practice Solutions Inc. ("Business Associate") and you ("Provider"). Both parties agree as follows:

I. DEFINITIONS

Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Standards for Privacy of Individually Identifiable Health Information, at 45 Code of Federal Regulations ("CFR") part 160 and part 164 subpart E (the "Privacy Rule"), the Security Standards issued at 45 CFR part 160 and part 164 subpart C (the "Security Rule"), and the breach notification rules at 45 CFR Part 164, subpart D ("Breach Rules") as they may be amended from time to time.

The following capitalized terms shall have the following meaning when used in this Agreement:

a. "Breach" shall have the same meaning as the term "Breach" in 45 CFR 164.402.
b. "Designated Record Set" shall mean a group of records maintained for Provider that are the medical and/or billing records that refer to an individual Patient.
c. "Electronic PHI" shall mean the PHI that is transmitted or maintained by Business Associate on behalf of Provider in electronic media, including, but not limited to, hard drives, disks, on the internet, or on an intranet.
d. "HITECH Act" shall mean the "Health Information Technology for Economic and Clinical Health Act" set forth within P.L. 111-5, and all relevant regulations promulgated thereunder, as amended from time to time.
e. "Patient" shall mean the individual whose PHI is contained in a specific medical or billing record that Business Associate maintains on behalf of Provider, or that person’s duly appointed guardian or qualified personal representative.
f. "PHI" shall have the same meaning as the term "protected health information" in 45 CFR 160.103, limited to the information created or received by Business Associate from or on the behalf of Provider.
g. "Secretary" shall mean the Secretary of the U.S. Department of Health and Human Services or his designee.
h. "Unsecured PHI" shall have the same meaning as the term "Unsecured Protected Health Information" as defined in 45 CFR 164.402.

II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

a. Business Associate agrees to comply with those provisions of the Security Rule that are set forth at 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316, as amended from time to time, with respect the security of PHI, in the same manner that such regulations apply to the Provider.
b. Business Associate agrees to comply with the Privacy Rule at 45 C.F.R. § 164.504(e), as amended from time to time, with respect to its use and disclosure of PHI, in the same manner that such regulation applies to Provider. The additional requirements of the HITECH Act that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby are incorporated into the Business Associate Agreement.
c. Business Associate agrees to not use or further disclose PHI other than as specifically permitted or required by this Agreement or as required by law.
d. Business Associate agrees to use appropriate safeguards and comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
e. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of the Agreement.
f. Business Associate agrees to report to Provider if it becomes aware of any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI as required by 45 CFR 164.410, and any Security Incident of which it becomes aware. Notwithstanding anything herein to the contrary, the parties acknowledge and agree that this Agreement shall constitute notice to Provider that Business Associate may periodically experience broadcast attacks on its firewall, port scans, unsuccessful log-on attempts, denials of service and similar unsuccessful security incidents, and Business Associate need not further report such incidents to Provider so long as such incidents do not result in unauthorized access, use or disclosure of PHI.
g. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate on behalf of Provider agree to the same restrictions and conditions that apply to Business Associate with respect to such information, including, without limitation, implementation of appropriate safeguards to protect the security of Electronic PHI.
h. Upon the written request of Provider, Business Associate agrees to provide access to Provider to PHI that Business Associate maintains in a Designated Record Set (if in fact its arrangements with Provider require Business Associate to maintain Designated Record Sets on behalf of Provider), in order for Provider to meet the Patient access and copying requirements under 45 CFR 164.524. If Business Associate maintains an electronic health record which contains the PHI, Business Associate shall provide such information produced in accordance with this section 2(h) in electronic format to enable Provider to fulfill its obligations under applicable regulations.
i. Upon the written request of Provider, Business Associate agrees to make any amendment(s) to PHI that Business Associate maintains in a Designated Record Set (if in fact its arrangements with Provider require Business Associates to maintain Designated Record Sets on behalf of Provider), that the Provider directs or agrees to pursuant to 45 CFR 164.526.
j. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI available at the request of the Provider to the Secretary, for purposes of determining Provider’s compliance with the Privacy Rule, subject to attorney-client or other applicable legal privileges.
k. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Provider to respond to a request by Patient for an accounting of disclosures of PHI in accordance with 45 CFR 164.528, as may be amended from time to time.
l. Upon written request of Provider, Business Associate agrees to provide Provider with information collected in accordance with Section II.i. of this Agreement to permit Provider to respond to a request by Patient for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
m. Business Associate agrees that to the extent it is to carry out Provider’s obligation under the Privacy Rule that it will comply with the requirements of the Privacy Rule that apply to Provider in the performance of such obligation.
n. Business Associate agrees to notify Provider without unreasonable delay, but in no event more than 60 days after Business Associate becomes aware of an unauthorized use or disclosure by or on behalf of Business Associate which constitutes a Breach of Unsecured PHI unless it receives a request to delay such notification from a law enforcement official pursuant to 45 CFR 164.412. Such notification shall include a list of impacted Patients, and describe the Breach in such reasonable detail.
o. Upon written request of Provider, Business Associate will comply with a Patient request for restriction of certain disclosures to health plans in accordance with 45 CFR 164.522 and the HITECH Act, if the disclosure is to a health care plan for the purposes of carrying out payment or health care operations and the PHI pertains solely to a health care item or service for which Patient has paid for out of pocket in full. Except to the extent that Provider must agree to a Patient request for restriction under the HITECH Act, Business Associate shall not be required to comply with a Patient’s request to restrict the use or disclosure of PHI.

III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

a. Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Provider, in accordance with the contractual or other arrangements between Provider and Business Associate.
b. Except as otherwise specifically permitted by Section IV. of this Agreement, Business Associate shall limit its use and disclosure of PHI to only the minimum necessary PHI required by Business Associate to furnish services on behalf of Provider.

IV. SPECIFIC USE AND DISCLOSURE PROVISIONS

a. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
b. Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of PHI has been breached.
c. Business Associate may use PHI to provide data aggregation services as permitted by 45 CFR 164.504(e)(2)(i)(B) (i.e. the combining PHI received from Provider with PHI received by Business Associate in its capacity as the business associate of another practice for the purpose of conducting data analyses that relate to health care operations of various practices).
d. Business Associate may use PHI to create de-identified health information to the extent permitted by the Privacy Rule. There will be no restrictions on Business Associate’s use or disclosure of the de-identified health information once it is so de-identified.

V. OBLIGATIONS OF PROVIDER

a. Provider represents and warrants to Business Associate that its Notice of Privacy Practices permits Provider to disclose PHI to Business Associate, and that the Notice of Privacy Practices used by Provider incorporates the terms and statements required by the Privacy Rule. Provider agrees that Provider shall not modify such notice or its privacy procedures in any manner that may affect Business Associate’s authority to use or disclose PHI pursuant to this Agreement without the consent of Business Associate, except as may be required by applicable law.
b. If applicable, Provider shall notify Business Associate of any changes in, or revocation of, permission by a Patient to use or disclose PHI, to the extent that such changes may affect the permitted uses or disclosures of such PHI by Business Associate.
c. Provider shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule, Security Rule or other applicable law or its Notice of Privacy Practices if done by Provider except the uses specifically permitted under Section IV. above, where Business Associate may use or disclose PHI for data aggregation or management and administrative activities of Business Associate.
d. Provider represents and warrants to Business Associate that Provider shall comply with all requirements of the Privacy Rule, Security Rule, and any similar federal or state requirements relating to privacy concerns.

VI. MUTUAL OBLIGATIONS

The parties agree that they will neither directly nor indirectly receive remuneration in exchange for any PHI of a Patient, unless a valid authorization, pursuant to 45 CFR 164.508, is executed by that Patient. Notwithstanding the foregoing, the parties agree that they may receive remuneration in exchange for PHI of a patient in accordance with 42 USC § 17935(d)(2) and 45 CFR 164.502(a)(5)(ii)(B)(2).

VII. TERM AND TERMINATION

a. The Term of this Agreement shall be effective as of the date set forth above, and shall remain effective so long as a relationship between the Provider and the Business Associate shall persist. This Agreement shall terminate when all of the PHI provided by Provider to Business Associate or created or received by Business Associate on behalf of Provider is destroyed or returned to Provider or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in Section VII.d.2. below.
b. Upon Provider’s knowledge of a material breach of this Agreement by Business Associate, Provider shall provide written notice to Business Associate identifying the breach, and permit the Business Associate 30 days to cure the breach; if Business Associate does not cure the breach or end the violation within the time specified, or if cure is not possible, Provider may immediately terminate this Agreement, and/or report the event to the Secretary.
c. Upon Business Associate’s knowledge of a material breach of this Agreement by the Provider, the Business Associate shall provide written notice to the Provider identifying the breach, and may permit the Provider the opportunity to cure the breach within 30 days; if Provider does not cure the breach or end the violation within the time specified, or if cure is not possible, Business Associate may immediately terminate this Agreement, and/or report the event to the Secretary.
d. Effect of Termination.
i. Except as provided in Section VII.d.2. below, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Provider, or created or received by Business Associate on behalf of Provider. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
ii. In the event the Business Associate determines that the returning of or destroying of the PHI is infeasible, Business Associate shall provide to Provider notification of the conditions that make return or destruction infeasible, and thereafter, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

VIII. NOTICE

Any and all notices, requests, or reports, required or permitted to be given under any provision of this Agreement shall be in writing and shall be deemed given upon the mailing thereof by first class certified mail, return receipt requested, postage prepaid, or by overnight mail. If such notice is to the Business Associate, then it shall be sent to the attention of the HIPAA Compliance Officer at the address provided below with a copy to the General Counsel, Henry Schein, Inc., 135 Duryea Road, Melville, New York 11747. If such notice is to the Provider, then it shall be sent to the address that the Business Associate then has on file for the Provider.

IX. MISCELLANEOUS

a. This Agreement is between Provider and Business Associate and shall not be construed, interpreted, or deemed to confer any rights whatsoever to any third party, including Patients.
b. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with Health Insurance Portability and Accountability Act, the Transaction Standards, Security Standards, the Privacy Rules, and the HITECH Act.
c. This Agreement shall be governed by and construed in accordance with the laws of the state of Utah, without regard to the conflicts of law principles of such state.
d. Provider and Business Associate agree to negotiate in good faith if, in either party’s reasonable judgment, modification of this Agreement becomes necessary due to legislative or regulatory amendments to the Privacy Rule, the Security Rule, or the HITECH Act.
e. In the event that it is impossible to comply with both this Agreement and any underlying services agreements between the parties, the provisions of this Agreement shall control with respect to those provisions of each agreement that expressly conflict.
f. This agreement replaces and supersedes any previous agreement with respect to the subject matter hereof.

 

Last Updated: August 16, 2013

Powered by DDX