Last Updated: July 12, 2023
1. Introduction.
These Terms of Service are applicable to your use of www.orapath.com and all materials, information, software, products, tools, and services included in or available thereby (the “Services”). Please read these Terms of Service carefully. By using the Services, you acknowledge that you understand and agree to be bound by these Terms of Service. If you do not understand or agree to be bound by these Terms of Service, do not access or use the Services.
IMMYLabs may change or modify these Terms of Service from time to time without giving notice to you. If a change is made, the date of last modification at the beginning of these Terms of Service will reflect the date the change was implemented. It is your sole responsibility to review these Terms of Service periodically and to be aware of any modifications. You acknowledge your agreement to be bound by the modified Terms of Service by continuing to use the Services after any such modifications.
2. Privacy.
Our Privacy Policy describes how we use, disclose, and protect your information collected during your use of the Services.
3. Account Registration and Protection.
a. Account Registration.
When you provide information about yourself to us, including that provided in the registration process, you agree to: (i) provide accurate, current, and complete information about yourself, and not to provide information that attempts to impersonate another individual; and (ii) promptly update us with such information to keep it accurate, current, and complete. If you provide any information that is untrue, inaccurate, or incomplete, or we have reasonable grounds to suspect that such information is untrue, inaccurate, or incomplete, we retain the right to suspend or terminate any account you establish and/or to refuse any or all current or future use of the Services or any portion thereof.
b. Passwords.
Your use of the Services may permit or require you to register or obtain a password prior to permitting you to access certain portions of the Services. You acknowledge and agree that you are solely responsible for maintaining the confidentiality of your access credentials. You agree to notify us immediately of any suspected unauthorized access to or use of your account, or any other breach of security involving access to the Services through your account. You acknowledge that you may be held liable for any loss or harm incurred by us or any other person or entity due to unauthorized access to the Services as a result of your failing to keep your access credential information secure and confidential.
4. Order of Services.
Orders of Services may be sent to orapath@immylabs.com. You agree that your order is an offer to buy, under these Terms of Service, all products and/or services you request. IMMYLabs may, in its sole discretion, accept or reject any order, or, without liability or penalty, cancel any order placed by you and accepted by IMMYLabs, in whole or in part, if IMMYLabs determines that you are in violation of your payment obligations hereunder or has breached or is in breach of these Terms of Service, or pursuant to any other rights IMMYLabs has under these Terms of Service.
5. Submission of Samples.
The Services require you to (i) collect all biological samples (e.g., blood, saliva, or urine), in accordance with the instructions included with the collection kit, and (ii) send the sample to our laboratory for testing. If you do not provide an adequate sample or utilize the collection kit, or provide it in a manner that is contraindicated or not consistent with any instructions, or do not return the sample within the timeframe set forth in the instructions, we may not be able to process your sample,or such action may result in inaccurate and/or unreliable readings of the sample. In the event we determine that a sample is not suitable for testing due to the occurrence of one of the above, we reserve the right to withhold test results and to not provide a refund.
6. Test Results.
If your sample is successfully processed, the results of the test(s) will be made available to authorized individuals. Due to the nature of the Services, we do not warrant that results will be entirely or 100% accurate. Results are informational and educational only and are not intended to diagnose or treat a disease or condition or to replace the advice of your doctor or dentist.
7. Pricing and Payment.
a. Pricing.
Prices do not include sales, use, excise, and any other similar taxes, duties, and charges of any kind imposed by any governmental authority on any amounts payable by you under these Terms of Service. IMMYLabs reserves the right to change the prices of any and all goods and/or services available at any time and in its sole discretion.
b. Payment Terms.
Terms of payment are within our sole discretion. Payment shall be made in U.S. Dollars in a mode acceptable by IMMYLabs. You represent and warrant that (i) the credit card information you supply to us is true, correct, and complete, (ii) you are duly authorized to use such credit card for the purchase, (iii) charges incurred by you will be honored by your credit card company, and (iv) you will pay charges incurred by you at the posted prices, including all applicable taxes, if any.
8. Shipments and Delivery; Title and Risk of Loss.
Unless expressly agreed to by IMMYLabs in writing, IMMYLabs shall select the method of shipment of and the carrier for any ordered goods. IMMYLabs may, in its sole discretion, without liability or penalty, make partial shipments of goods to you. Unless expressly agreed to by IMMYLabs, IMMYLabs shall deliver the goods to your requested delivery point, using IMMYLabs’ standard methods for packaging and shipping the goods. All prices are FOB shipping point. Any time quoted for delivery is an estimate only; provided, however, that IMMYLabs shall use commercially reasonable efforts to deliver all goods on or before any requested delivery date. IMMYLabs is not liable for or in respect of any loss or damage arising from any delay in filling any order, failure to deliver, or delay in delivery. No delay in the shipment or delivery of any goods relieves you of your obligations under each applicable order, including accepting delivery of any remaining installment or other orders of goods. Title to goods and the risk of loss of same shipped under any order passes to you upon IMMYLabs’ delivery of such goods to the carrier at IMMYLabs’ facility.
9. Intellectual Property.
a. User Content.
You are solely responsible for all information, data, or other materials (excluding HIPAA Protected Health Information) that you upload, transmit, or otherwise make available to or through the Services (“User Content”).By uploading, posting, transmitting, publishing, displaying, or otherwise making available User Content, you grant IMMYLabs, in connection with the Services, a worldwide, perpetual, non-exclusive, royalty-free license to use, reproduce, display, perform, adapt, modify, publish, create derivative works from, or distribute such User Content in whole or in part in any form, medium, or technology (now known or later developed). You represent and warrant that our publication and use of your User-Provided Content will not infringe or violate the intellectual property or other rights of any third party.
b. IMMYLabs Intellectual Property Rights.
You acknowledge and agree that: (i) any and all IMMYLabs’ Intellectual Property Rights are the sole and exclusive property of IMMYLabs or its licensors; (ii) you shall not acquire any ownership interest in any of IMMYLabs’ Intellectual Property Rights under the Agreement; (iii) any goodwill derived from the use by you of IMMYLabs’ Intellectual Property Rights inures to the benefit of IMMYLabs or its licensors, as the case may be; and (iv) if you acquire any Intellectual Property Rights in or relating to any product (including any Good) purchased under this Agreement (including any rights in any Trademarks, derivative works, or patent improvements relating thereto), by operation of law, or otherwise, these rights are deemed and are hereby irrevocably assigned to IMMYLabs or its licensors, as the case may be, without further action by you or IMMYLabs.
10. Use of Services by HIPAA Covered Entities.
If you are a HIPAA Covered Entity, you represent and warrant that when using the Services, you will comply with all applicable laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and other federal and state privacy and data security laws, and you will not provide any information, including Protected Health Information, to us for which you do not have the required authorizations or consents.
11. Links to Third Party Owned-Websites
The OraPath website (www.orapath.com) may from time-to-time link to third-party websites for your convenience and to provide easy access to additional useful information. Should you select such a link you will leave the OraPath website. IMMYLabs does not control those sites nor their privacy practices, which may differ from IMMYLabs’ practices and policies. Any personal data you choose to provide to or that is collected by such third parties is not in any way covered by the IMMYLabs Privacy Policy. A link to another website from IMMYLabs does not constitute an endorsement or representation about the value, quality, or usefulness of anything found on that third-party website.
12. Dispute Resolution
These Terms of Service and all matters arising out of or relating thereto, are governed by, and construed in accordance with the Laws of the State of Oklahoma, USA, without regard to the conflict of laws provisions thereof to the extent these principles or rules would require or permit the application of the Laws of any jurisdiction other than those of the State of Oklahoma. You irrevocably and unconditionally agree that you will not commence any action, litigation or proceeding of any kind whatsoever against IMMYLabs in any way arising from or relating to the Services or these Terms of Service, and all contemplated transactions, including contract, equity, tort, fraud, and statutory claims, in any forum other than the United States District Court for the Western District of Oklahoma, or, if this court does not have subject matter jurisdiction, the courts of the State of Oklahoma sitting in Cleveland County, and any appellate court from any thereof. You irrevocably and unconditionally submit to the exclusive jurisdiction of these courts and agree to bring any action, litigation, or proceeding only in the United States District Court for the Western District of Oklahoma or, if this court does not have subject matter jurisdiction, the courts of the State of Oklahoma sitting in Cleveland County. You further agree that a final judgment in any action, litigation or proceeding is conclusive and may be enforced in other jurisdictions by suit on the judgment or in any other manner provided by Law.
13. Disclaimer of Warranty.
THE SERVICES AND ALL MATERIALS, INFORMATION, SOFTWARE, PRODUCTS, TOOLS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. TO THE FULLEST EXTENT ALLOWED BY LAW, IMMYLABS DISCLAIMS ALL EXPRESS AND IMPLIED WARRANTIES WITH REGARD TO THE SERVICES AND ALL MATERIALS, INFORMATION, SOFTWARE, PRODUCTS, TOOLS, AND SERVICES INCLUDED IN OR AVAILABLE THORUGH THE SERVICES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. IMMYLABS MAKES NO WARRANTY THAT (A) THE SERVICES WILL MEET YOUR REQUIREMENTS; (B) THE SERVICES WILL BE UNINTERRUPTED, TIMELY, UNFAILINGLY SECURE, OR ERROR-FREE; (C) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICES WILL BE ACCURATE OR RELIABLE; AND (D) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE SERVICES WILL MEET YOUR EXPECTATIONS.
14. Limitation of Liability.
IN NO EVENT IS IMMYLABS OR ITS REPRESENTATIVES LIABLE FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR ENHANCED DAMAGES, LOST PROFITS OR REVENUES, OR DIMINUTION IN VALUE, WHETHER ARISING OUT OF OR RELATING TO ANY BREACH OF THESE TERMS OF SERVICE OR OTHERWISE, AND REGARDLESS OF: (A) WHETHER THE DAMAGES WERE FORESEEABLE; (B) WHETHER OR NOT IMMYLABS WAS ADVISED OF THE POSSIBILITY OF THE DAMAGES; AND (C) THE LEGAL OR EQUITABLE THEORY (CONTRACT, TORT OR OTHERWISE) ON WHICH THE CLAIM IS BASED, ANDNOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE.
15. Indemnification.
You agree to indemnify, defend, and hold harmless IMMYLabs and its parent, officers, directors, partners, members, shareholders, employees, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, that arises out of or is related to any content or material you submit, post, transmit, or make available through the Services, your violation of these Terms of Service, your misuse of the Services, or your violation of any third-party rights.
16. Severability.
If any provision of these Terms of Service is invalid, illegal, void or unenforceable, then that provision will be deemed severed from these Terms of Service and will not affect the validity or enforceability of the remaining provisions.
17. No Waiver.
No waiver by IMMYLabs of any provision set out in these Terms of Service shall be deemed a further or continuing waiver of such provision, and any failure by IMMYLabs to assert a right or provision under these Terms of Service shall not constitute a waiver of such right or provision.
18. Force Majeure.
IMMYLabs shall not be liable or responsible to you, nor be deemed to have defaulted under or breached these Terms of Service, for any failure or delay in fulfilling or performing any portion of the Services when and to the extent the failure or delay is caused by or results from acts beyond IMMYLabs’ reasonable control, including the following force majeure events: (i) acts of God; (ii) flood, fire, earthquake, or explosion; (iii) war, invasion, hostilities (whether war is declared or not), terrorist threats or acts, riot, or other civil unrest; (iv) requirements of Law; (v) actions, embargoes, or blockades in effect on or after the date of this Agreement; (vi) action by any Governmental Authority; (vii) national or regional emergency; (viii) strikes, labor stoppages, or slowdowns or other industrial disturbances; and (ix) shortage of adequate power or transportation facilities. IMMYLabs shall resume the performance of its obligations as soon as reasonably practicable after the removal of the force majeure cause.
19. Termination.
These Terms of Service are effective as long as you continue to access and/or use the Services or unless and until modified as noted above, or terminated, at any time, by IMMYLabs.
20. Contact Information.
Notices to you may be sent via either email or regular mail. Official notices to IMMYLabs must be sent to the following address:
IMMYLabs
Attn.: General Counsel
2701 Corporate Centre Dr.
Norman, OK 73069
This Business Associate Agreement applies only to Organizations qualifying as Covered Entities under the Health Insurance Portability and Accountability Act of 1996. This form mirrors the HHS model Business Associate Agreement.
BUSINESS ASSOCIATE AGREEMENT
This BusinessAssociate Agreement (the “BAA”), effective as of July 12, 2023, is by and between Covered Entity (as defined below)and IMMYLabs, LLC, (“Business Associate”, in accordance with the meaning given to those terms at 45 CFR §164.501) with its principal place of business at 2701 Corporate Centre Dr. Norman, OK 73069. Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.
Background
- Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);
- The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively with this BAA, the “Agreement”);
- In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;
- By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;
- Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and
- Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.
Agreement
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:
- Definitions. For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.
- “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
- “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
- “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
- “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
- “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.
- “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
- “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
- “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.
- “HHS” means the U.S. Department of Health and Human Services.
- “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
- “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
- “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
- Use and Disclosure of PHI.
- Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.
- Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
- Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
- Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession.
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
- Safeguards Against Misuse of PHI.Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
- Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event.
- Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.
- Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.
- Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI as described in section 1.M. of this BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.
- Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate’s audit report.
- Access to PHI by Individuals.
- Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524.
- In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.
- Amendment of PHI.
- Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request.
- In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.
- Accounting of Disclosures.
- Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
- Business Associate will furnish to Covered Entity information collected in accordance with this Section 11, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
- In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.
- Availability of Books and Records.Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.
- Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:
- Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
- Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.
- Term and Termination.
- This BAA will become effective on the Effective Date, and will continue in effect until the Business Associate no longer provides services under the Agreement and under this BAA.
- Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.
- If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS.
- Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 15.D. will survive any termination of this BAA.
- Effect of BAA
- This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.
- Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
- Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
- Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
- HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30days’ prior written notice to the other Party.
