HIPAA BUSINESS ASSOCIATE AGREEMENT
Covered Entity is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act (commonly referred to as the “HITECH Act”), and the regulations promulgated under the foregoing from time to time by the United States Department of Health and Human Services (collectively, as amended from time to time, “HIPAA”).
Covered Entity has engaged or may engage Business Associate to perform certain services (the “Services”) pursuant to one or more agreements between the parties (each, whether written or oral, a “Services Agreement”). In the course of providing the Services, Covered Entity may deliver to Business Associate, or allow Business Associate access to, or have Business Associate obtain, create, or maintain on behalf of Covered Entity information that may be deemed protected health information subject to the provisions of HIPAA and information subject to protection under other federal or state laws.
In order to comply with the applicable provisions of HIPAA and other federal or state laws as applicable, the parties agree as follows:
1.1 Capitalized terms used but not otherwise defined in this Agreement shall have the meanings ascribed in HIPAA (whether or not such terms are capitalized therein).1.2 “Effective Date” means the date written above or, if earlier, the first date upon which Business Associate has access to or receives, creates, transmits, or maintains PHI.1.3 “Electronic PHI” means PHI that is Electronic Protected Health Information.1.4 “PHI” means Protected Health Information received or accessed by Business Associate from or on behalf of Covered Entity, or created, transmitted, or maintained by Business Associate for or on behalf of Covered Entity.
2. Compliance; Safeguards.
2.1 Business Associate represents and warrants that it has implemented and at all times will maintain (i) written policies and procedures in accordance with HIPAA and (ii) training of all members of its workforce in accordance with HIPAA.2.2 Business Associate at all times shall maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, availability, and integrity of Electronic PHI that it creates, receives, maintains, or transmits in accordance with the regulations set forth at 45 CFR § 164.308, 45 CFR § 164.310, and 45 CFR § 164.312 and shall maintain policies and procedures and other documentation in accordance with the regulations set forth at 45 CFR § 164.316. Business Associate acknowledges that such provisions apply to Business Associate in the same manner that they apply to Covered Entities.
3. Electronic PHI to Be Encrypted.
3.1 Except as otherwise expressly approved in writing by Covered Entity in its sole discretion, to the extent Business Associate transmits any Electronic PHI, whether by any electronic communication (such as email) or by shipment of electronic media or devices (such as CDs, DVDs, USB drives, or external hard drives), Business Associate shall encrypt all such Electronic PHI either by utilizing encrypted electronic communication (such as TLS for email) or by encrypting all files containing Electronic PHI or encrypting such electronic media or devices. Such encryption shall render all such Electronic PHI unusable, unreadable, or indecipherable using an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key that complies with the requirements of Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, including, as appropriate, standards described in NIST Special Publication 800-52 (as revised or updated), Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (as updated or revised), NIST Special Publication 800-77 (as updated or revised), Guide to IPsec VPNs, NIST Special Publication 800 113 (as updated or revised), Guide to SSL VPNs (as updated or revised), or other standards that are FIPS 140-2 validated; provided, however, that if such standards no longer are in effect or if industry best practices call for a stronger encryption standard, Business Associate shall follow the encryption standard of industry best practices.3.2 Except as otherwise expressly approved in writing by Covered Entity in its sole discretion, to the extent Business Associate maintains or stores any Electronic PHI, (i) Business Associate shall encrypt all such Electronic PHI that is maintained or stored on a laptop computer, removable electronic media, external hard drive, or other medium or device that is not a computer server or workstation located in a physically secure area and (ii) unless commercially infeasible (in which case Business Associate shall notify Covered Entity thereof promptly in writing), Business Associate shall encrypt all such Electronic PHI that is maintained or stored on a computer server or workstation located in a physically secure area. Such encryption shall render all such Electronic PHI unusable, unreadable, or indecipherable using an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key that is consistent with the National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices; provided, however, that if such standards no longer are in effect or if industry best practices call for a stronger encryption standard, Business Associate shall follow the encryption standard of industry best practices.
4. Destruction of Media (Including Paper). To the extent Business Associate maintains or transmits any PHI, when required under this Agreement and when any PHI is no longer needed by Business Associate to perform the Services and its obligations pursuant to this Agreement and no longer required to be maintained pursuant to HIPAA, the media on which the PHI is stored or recorded shall be destroyed as follows: (i) paper, film, or other hard copy media shall be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed; and (ii) electronic media shall be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
5. Minimum Necessary. Business Associate shall request, access, use, and (if permitted by the Services Agreement) disclose only the minimum amount of PHI necessary, in accordance with HIPAA, to perform the Services.
6. Permitted Uses. Subject to the restrictions set forth in this Agreement regarding Substance Use Disorder Records, Business Associate may use PHI only as permitted or required by this Agreement and only for the following purposes:
(i) as necessary to perform the Services;(ii) to carry out its legal responsibilities;(iii) for the proper business management and administration of Business Associate;(iv) to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, but only to the extent, if any, expressly provided in the Services Agreement;(v) to de-identify PHI in accordance with the standards set forth under HIPAA, but only to the extent, if any, expressly provided in the Services Agreement; and(vi) as Required By Law.
7. Permitted Disclosures. Subject to the restrictions set forth in this Agreement regarding Substance Use Disorder Records, Business Associate may disclose PHI only as permitted or required by this Agreement and only for the following purposes:
(i) as necessary to perform the Services;(ii) for the proper business management and administration of Business Associate or to carry out its legal responsibilities, if Required By Law or if Business Associate has obtained reasonable assurances that the recipient will (A) hold such PHI in confidence, (B) use or further disclose it only for the purpose for which it was received or as Required By Law, and (C) notify Business Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI has been breached; and(iii) as otherwise Required By Law.
8.1 Except as otherwise provided in the Services Agreement or with the written consent of Covered Entity, all Services shall be performed by employees of Business Associate and Business Associate shall not disclose any PHI to an independent contractor or agent of Business Associate.8.2 Any disclosure of PHI to a Subcontractor or agent of Business Associate shall be pursuant to a written agreement between Business Associate and such Subcontractor or agent containing substantially the same restrictions and conditions on the use and disclosure of PHI as are set forth in this Agreement. Business Associate shall deliver to Covered Entity a copy of any such agreement with a Subcontractor or agent of Business Associate promptly upon execution thereof.8.3 Business Associate shall take reasonable steps to ensure that the acts or omissions of its Subcontractors would not breach the terms of this Agreement if done by Business Associate, including without limitation making reasonable inquiry of such Subcontractors regarding their ability to comply with the agreement described in Section 8.2 and taking reasonable steps to monitor such compliance.
9. Prohibited Uses and Disclosures.
9.1 Except as otherwise expressly provided in the Services Agreement, Business Associate shall not remove, transmit, or download PHI from Covered Entity’s premises or systems, or authorize or assist any other person to do so, under any circumstances.9.2 Subject to Covered Entity’s compliance with its obligations set forth in Section 18 as applicable, Business Associate shall not use or further disclose PHI in a manner that would violate HIPAA if done by Covered Entity.9.3 Except as otherwise expressly provided in the Services Agreement, Business Associate shall not permit any PHI to be transmitted to, received by, or stored at any location outside of the United States of America and shall not permit any person outside of the United States of America to access or view PHI.9.4 Business Associate shall not use or disclose PHI for purposes of marketing or fundraising unless the Services expressly include such marketing or fundraising, and then only to the extent necessary to perform the Services.9.5 Business Associate shall not sell PHI or otherwise receive remuneration, directly or indirectly, in exchange for PHI; provided, however, that this prohibition shall not affect payment to Business Associate by Covered Entity for performance of the Services.9.6 If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to Section 18, Business Associate shall be bound by such additional restrictions and shall not use or disclose PHI in violation of such additional restrictions.9.7 Business Associate shall ensure that its officers, employees, agents, and Subcontractors comply with each of the foregoing prohibited uses and disclosures of PHI.
10. Certain Privacy Rule Compliance. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of Part 164 of HIPAA (generally known as the HIPAA Privacy Rule), Business Associate shall comply with such requirements that apply to Covered Entity in the performance of such obligations.
11. Data Breach Investigation and Reporting.
11.1 Business Associate shall notify Covered Entity in reasonable detail by telephone to 832-761-9655 and in writing as set forth in Section 24.1 within twenty-four (24) hours following the discovery of an actual or suspected impermissible use or disclosure of PHI.11.2 As soon as practicable, but not more than three (3) days following the discovery of an actual or suspected impermissible use or disclosure of PHI, Business Associate at its sole cost shall assess whether such actual or suspected impermissible use or disclosure was of PHI that is Unsecured Protected Health Information and, if so (or if Business Associate cannot determine conclusively to the contrary), Business Associate at its sole cost shall make an evaluation of whether there is a low probability that the PHI has been compromised. In making such evaluation, Business Associate shall conduct a risk assessment that considers, at a minimum, (i) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification, (ii) the unauthorized person who used the protected health information or to whom the disclosure was made, (iii) whether the protected health information was actually acquired or viewed, and (iv) the extent to which the risk to the protected health information has been mitigated, and Business Associate shall evaluate the overall possibility that the PHI has been compromised by considering all of the above, and any other relevant factors, in combination.11.3 Business Associate shall keep Covered Entity fully apprised of the status of the evaluation described in Section 11.2 while it is underway and shall report the outcome thereof to Covered Entity by telephone to the numbers set forth above, followed by written notice, immediately upon the conclusion of such evaluation.11.4 Business Associate shall cooperate fully with, and provide such assistance and access to personnel, systems, data, and facilities as reasonably is requested by, Covered Entity in any investigation or evaluation by or on behalf of Covered Entity of such actual or suspected impermissible use or disclosure of PHI.11.5 If Covered Entity, in its sole discretion, notifies Business Associate (by telephone, e-mail, or any other means of communication) of Covered Entity’s determination that such impermissible use or disclosure is a Breach of PHI that is Unsecured Protected Health Information, Business Associate shall provide Covered Entity in writing, without unreasonable delay but in no case later than three (3) business days following such determination, notice setting forth the date of discovery thereof, the identities of affected individuals (or, if such identities are unknown at that time, the classes of such individuals), a general description of the nature of the incident, and such other information as is required pursuant to HIPAA or reasonably requested by Covered Entity. Business Associate shall supplement such notice with information not available at the time of the initial notification as promptly thereafter as the information becomes available to Business Associate.11.6 For purposes hereof, an actual or suspected use or disclosure shall be deemed impermissible if it is not or would not be permitted by this Agreement or if it is or would be in violation of HIPAA.11.7 For purposes hereof, an impermissible use or disclosure shall be deemed discovered by Business Associate as of the first day on which such impermissible use or disclosure is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate, and Business Associate shall be deemed to have knowledge of an impermissible use or disclosure if such impermissible use or disclosure is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the impermissible use or disclosure, who is a workforce member of Business Associate or an agent of Business Associate (determined in accordance with the federal common law of agency).
12. Security Incident Reporting. Business Associate shall report to Covered Entity in writing any Security Incident involving Electronic PHI, other than a Security Incident that involves an actual or suspected impermissible use or disclosure of PHI reported pursuant to Section 11, within two (2) days of Business Associate’s discovery thereof. The parties acknowledge and agree that this Section 12 constitutes notice by Business Associate to Covered Entity of the ongoing occurrence of events that may constitute Security Incidents but that are trivial, routine, do not constitute a material threat to the security of PHI, and do not result in unauthorized access to or use or disclosure of PHI (such as typical pings and port scans), for which no additional notice to Covered Entity shall be required.
13. Reimbursement; Mitigation. Business Associate shall reimburse Covered Entity for all reasonable costs and expenses incurred by Covered Entity as a result of a Breach of PHI or of any use or disclosure of PHI in violation of the terms and conditions of this Agreement or of any applicable law, and Business Associate shall take all actions reasonably necessary, and Business Associate shall cooperate with Covered Entity as reasonably requested, to mitigate, to the extent practicable, any harmful effect of such occurrence.
14. Access and Amendment. Business Associate shall notify Covered Entity promptly upon receipt of a request from such an Individual for access to or a copy of such Individual’s PHI or to amend such Individual’s PHI. To the extent permitted under HIPAA, and except as otherwise required upon the order of a court of competent jurisdiction, (i) Business Associate shall direct such Individual to make such request of Covered Entity and (ii) Business Associate shall not consent to such access, deliver such copy, or comply with such request except as directed by Covered Entity. With respect to PHI maintained by Business Associate in a Designated Record Set (if any), upon the request of Covered Entity from time to time Business Associate shall (i) make available PHI to Individuals or Covered Entity in such form and format as reasonably directed by Covered Entity so that Covered Entity may meet its access obligations under HIPAA and (ii) upon receipt of notice from Covered Entity, promptly amend any portion of the PHI so that Covered Entity may meet its amendment obligations under HIPAA.
15. Accounting for Disclosures. Business Associate shall document all disclosures of PHI by Business Associate and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. Business Associate shall maintain such information for the applicable period set forth in HIPAA. Business Associate shall deliver such information to Covered Entity or, upon Covered Entity’s request, to the Individual, in the time and manner reasonably designated by Covered Entity, in order for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. The obligations set forth in this Section 15 shall survive the expiration or any termination of this Agreement and shall continue, as to a given instance of disclosure, until the earlier of (i) the passing of the time required for such information to be maintained pursuant to HIPAA or (ii) the delivery to Covered Entity of all such information in a form and medium reasonably satisfactory to Covered Entity and the return or destruction of all PHI as provided in this Agreement.
16.1 If Business Associate receives a request, made on behalf of the Secretary of the Department of Health and Human Services, that Business Associate make its internal practices, books, and records relating to the use or disclosure of PHI available to the Secretary of the Department of Health and Human Services for the purposes of determining Covered Entity’s or Business Associate’s compliance with HIPAA, Business Associate promptly shall notify Covered Entity of such request and, unless enjoined from doing so by order of a court of competent jurisdiction in response to a challenge raised by Covered Entity or Business Associate (which challenge Business Associate shall not be obligated to raise), Business Associate shall comply with such request to the extent required of it by applicable law.16.2 Promptly upon the written request of Covered Entity from time to time, Business Associate shall (i) provide accurate and complete written responses to questionnaires from Covered Entity regarding Business Associate’s internal practices, books, and records relating to the use, disclosure, and safeguarding of PHI and (ii) make its internal practices, books, and records relating to the use, disclosure, and safeguarding of PHI (including without limitation its documented policies and procedures with respect thereto, documentation evidencing the training of its personnel with respect thereto, and other documentation required under HIPAA) available to Covered Entity or Covered Entity’s designee for the purposes of determining Business Associate’s compliance with HIPAA and with its obligations under this Agreement.16.3 Nothing in this Agreement shall waive any attorney-client privilege or other privileges applicable to either party.
17. Compliance with Law. Business Associate shall comply with all applicable federal and state laws regarding individually identifiable information contained in or associated with PHI, including without limitation any state data breach laws or other state laws regarding the protection of such information. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without a written authorization from an Individual who is the subject thereof, or written authorization from any other person, where such authorization would be required under federal or state law for such use or disclosure.
18. Obligations of Covered Entity. Covered Entity shall (i) notify Business Associate of any limitation in Covered Entity’s Notice of Privacy Practices to the extent that such limitation may affect Business Associate’s use or disclosure of PHI, (ii) notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change may affect Business Associate’s use or disclosure of PHI, and (iii) notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with HIPAA, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
19. Ownership of Data. Unless otherwise expressly set forth in the Services Agreement or otherwise agreed in writing by Covered Entity, any data created from de-identifying PHI or from Data Aggregation by or on behalf of Business Associate, whether or not created in accordance with the terms of this Agreement, shall be and remain exclusively the property of Covered Entity. Unless otherwise expressly set forth in the Services Agreement or otherwise agreed in writing by Covered Entity, Business Associate assigns to Covered Entity all of Business Associate’s right, title, and interest in and to any such data, if any, and Business Associate shall neither use any such data for any purpose other than to provide the Services nor disclose such data to any third party except with the prior written consent of Covered Entity or as otherwise required by applicable law or upon the order of a court of competent jurisdiction.
20. Term and Termination. This Agreement shall become effective on the Effective Date and shall continue in effect until the earlier to occur of (i) the expiration or termination of all Services Agreements or (ii) termination pursuant to this Section 20. Either party may terminate this Agreement effective immediately if it determines that the other party has breached a material provision of this Agreement and failed to cure such breach within thirty (30) days of being notified by the other party of the breach. If the non-breaching party reasonably determines that cure is not possible, such party may terminate this Agreement effective immediately upon written notice to other party.
21. Effect of Termination. Upon termination of this Agreement, Business Associate shall deliver to Covered Entity the disclosure accounting information as provided in this Agreement and return to Covered Entity or destroy all PHI that Business Associate maintains in any form and retain no copies of such PHI; provided, however, that if Business Associate determines that return or destruction is not feasible (including without limitation if Business Associate is required by applicable law to retain any such PHI for a time following termination), Business Associate shall notify Covered Entity thereof and, upon Covered Entity’s agreement in writing in its sole discretion, Business Associate may retain such portions of the PHI return or destruction is not feasible until return or destruction is feasible and Business Associate shall extend the protections of this Agreement to the PHI and limit its further use or disclosure to those purposes that make the return or destruction of the PHI infeasible. The requirements of this Section 21 shall survive termination or expiration of this Agreement and shall be in force as long as any PHI remains in the custody or control of Business Associate.
22. Indemnification. Business Associate shall indemnify, defend, and hold harmless Covered Entity, its affiliates, and each of their respective directors, officers, representatives, agents, employees, and contractors, against any losses, liabilities, damages, awards, settlements, claims, suits, proceedings, costs and expenses (including without limitation reasonable legal fees and disbursements and costs of investigation, litigation, expert witness fees, settlement, judgment, interest, and penalties) resulting from or relating to a Breach of PHI or other use or disclosure of PHI that is not permitted by this Agreement, a breach by Business Associate of any provision of this Agreement, or Business Associate’s violation of HIPAA or other applicable law. Covered Entity shall notify Business Associate promptly in writing of the claim or threat thereof; provided, however, that notification at any time by Covered Entity to Business Associate of the claim shall be considered prompt enough to meet the foregoing condition if any delay in providing Business Associate with notice of the claim is not materially prejudicial to Business Associate. Covered Entity shall permit Business Associate to have sole control over the defense and, subject to the terms of this paragraph, the settlement of the claim. Business Associate shall keep Covered Entity informed of its efforts and shall not settle the claim without Covered Entity’s prior written consent, such consent not to be unreasonably withheld. No withholding of such consent by Covered Entity shall be deemed unreasonable if such settlement involves any remedy aside from the immediate payment of money or does not include a full and unconditional release of Covered Entity from any liability. Any provision of a Services Agreement to the contrary notwithstanding, no limitation of liability shall apply to the obligations set forth in this paragraph.
23. Insurance. Business Associate shall maintain, at its cost, a policy or policies of professional liability insurance having the limit of liability of no less than $100,000.00 per claim/$1,500,000.00 in the aggregate covering the unauthorized acquisition, access, use, physical taking, release, distribution, or disclosure of personal information, identity theft, and breaches by third parties and employees, for costs and expenses arising from or relating to an unauthorized disclosure or use of PHI or any use or disclosure of PHI in violation of the terms and conditions of this Agreement, including without limitation such costs and expenses of notification, fraud alert and credit monitoring, mitigation of damages, consultants, forensic investigation, and legal expenses and for Business Associate’s indemnification obligations under this Agreement. Such insurance policy or policies shall be issued by an insurance company reasonably satisfactory to Covered Entity and, only if so requested in writing by Covered Entity, shall name Covered Entity as an additional insured. Business Associate shall provide Covered Entity evidence of such coverage reasonably acceptable to Covered Entity upon execution of this Agreement and upon request of Covered Entity from time to time. The limits of any insurance coverage shall not limit Business Associate’s liability under any provision of this Agreement or any Services Agreement. If any such insurance policy is a “claims made” policy, Business Associate shall (i) obtain continuing like coverage for claims that arise out of this Agreement and provide to Covered Entity evidence thereof for five years after the expiration or any termination of this Agreement or (ii) purchase an extended reporting endorsement (“tail coverage”) if the “claims made” policy is terminated at any during such period.
24.1 Notices. Except as otherwise provided in this Agreement, notices and reports given under this Agreement shall be in writing and sent to:
To Business Associate at:PO Box 3261Rancho Santa Fe, CA 92067
and to Covered Entity at the address shown on the signature page hereof. Such written notices shall be deemed given (i) when personally delivered, (ii) on the third business day after deposit, properly addressed and postage pre-paid, when sent by certified or registered U.S. mail to the address provided herein, or (iii) on the next business day when sent with next-business-day instruction by recognized overnight delivery service to the address provided herein; provided, however, that written notice pursuant to Section 11 shall be sent with next-business-day instruction by recognized overnight document delivery service to the address provided herein.24.2 Nature of Relationship. Business Associate shall perform all services hereunder as an independent contractor to Covered Entity, and nothing contained herein shall be deemed to create any agency or other relationship between the parties or any of their affiliates. Neither party shall have the right, power, or authority under this Agreement to create any duty or obligation on behalf of the other party.24.3 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State that govern the Services Agreement, without regard to conflict of laws principles that would result in the application of any law other than the law of such State, and venue for any dispute under this Agreement shall be the same as the venue for a dispute under the Services Agreement.24.4 Waiver. A waiver with respect to one event shall not be construed as continuing, or as a bar to, or waiver of, any right or remedy as to subsequent events.24.5 Severability. If any one or more of the provisions of this Agreement should be ruled wholly or partly invalid or unenforceable by a court or other government body of competent jurisdiction, then (i) the validity and enforceability of all provisions of this Agreement not ruled to be invalid or unenforceable will be unaffected; (ii) the effect of the ruling will be limited to the jurisdiction of the court or other government body making the ruling; (iii) the provision(s) held wholly or partly invalid or unenforceable would be deemed amended, and the court or other government body is authorized to reform the provision(s), to the minimum extent necessary to render them valid and enforceable in conformity with the parties’ intent as manifested herein; and (iv) if the ruling, and/or the controlling principle of law or equity leading to the ruling, subsequently is overruled, modified, or amended by legislative, judicial or administrative action, then the provision(s) in question as originally set forth in this Agreement will be deemed valid and enforceable to the maximum extent permitted by the new controlling principle of law or equity.24.6 Entire Agreement. This Agreement, together with each Services Agreement, constitutes the entire agreement between the parties concerning the subject matter hereof. No prior or contemporaneous representations, inducements, promises, or agreements, oral or otherwise, between the parties with reference thereto will be of any force or effect. Each party represents and warrants that, in entering into and performing its obligations under this Agreement, it does not and will not rely on any promise, inducement, or representation allegedly made by or on behalf of the other party with respect to the subject matter hereof, nor on any course of dealing or custom and usage in the trade, except as such promise, inducement, or representation may be expressly set forth herein.24.7 Amendments. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the parties; provided, however, that upon the enactment of any law or regulation affecting the use or disclosure of PHI, or on the publication of any decision of a court of competent jurisdiction relating to any such law, or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, Covered Entity may, by written notice to Business Associate, propose to amend this Agreement in such a manner as Covered Entity reasonably determines necessary to comply therewith, and such proposed amendment shall become operative unless Business Associate rejects such amendment by written notice to Covered Entity within thirty (30) days thereafter, in which case, unless the parties agree on an amendment within thirty (30) days after Business Associate’s notice, either party may terminate this Agreement by written notice to the other.24.8 No Third Party Beneficiaries. Except for the rights of indemnitees expressly set forth herein, no provision of this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever, and any implication to the contrary is expressly disclaimed by each party.24.9 Injunctive Relief. Business Associate acknowledges that the breach or threatened breach by it of any provision of this Agreement may cause Covered Entity irreparable harm and that Covered Entity may not have an adequate remedy for such breach at law, and Business Associate therefore agrees that upon any breach or threatened breach of this Agreement, Covered Entity will be entitled to seek, and Business Associate shall not object to, injunctive relief to prevent Business Associate from commencing or continuing any action that constitutes or would constitute such breach, or to compel Business Associate to take action required under this Agreement or otherwise specifically perform hereunder, without bond, without the need of proof of actual damages, and without prejudice to any other rights or remedies to which Covered Entity may be entitled as a result of a breach of this Agreement.24.10 Headings; Interpretation. The headings of the sections used in this Agreement are included for convenience only and are not to be used in construing or interpreting this Agreement. In the event of a conflict between the terms of this Agreement and the terms of the Services Agreement, this Agreement shall control. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of HIPAA, as amended, or its interpretation by any court or regulatory agency with authority over either party hereto, HIPAA (interpreted by such court or agency, if applicable) shall control. Where provisions of this Agreement are different from those mandated under HIPAA, but are nonetheless permitted by such rules as interpreted by relevant courts or agencies, the provisions of this Agreement shall control.24.11 Counterparts. This Agreement may be executed in separate counterparts, each of which so executed and delivered shall constitute an original, but all such counterparts constitute one and the same instrument. Manually-executed counterparts may be delivered in a scanned electronic form, each of which (whether originally executed or such a scanned electronic document) shall be deemed an original, and all of which together shall constitute one and the same instrument. In making proof of this Agreement, it shall not be necessary to produce or account for more than one counterpart hereof signed by each of the parties.
[Signature Page Follows]
Reveal My DNA is an Authorized Representative and Distributor of myDNA, Inc.