BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this “Agreement”) is entered into as of _______________________ (the “Effective Date”), by and between _________________________________, a _______________________, ______________ [State][Company Type] (“Covered Entity”), and McLane Intelligent Solutions, LLC , a Limited Liability Company (“Business Associate”). Covered Entity and Business Associate are individually a “Party” and collectively the “Parties.”
RECITALS:
A. In conjunction with the performance of a function, activity or service provided by Business Associate to, or on behalf of, Covered Entity pursuant to the __________________________, dated _____________________ (the “Services Agreement”), Covered Entity will make available or transfer to Business Associate, or Business Associate may create or otherwise receive certain PHI (defined below) which is confidential and must be afforded special treatment and protection under the Privacy Rule, Breach Notification Rule, Security Rule, HITECH Act, MRPA, ITEPA (as each is defined below), and similar provisions of other applicable state laws governing the use and disclosure of PHI (collectively, the “Applicable Privacy and Security Laws”).
B. The Parties acknowledge and agree that such PHI can be used or disclosed only in accordance with this Agreement and Applicable Privacy and Security Laws.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are acknowledged, Covered Entity and Business Associate, intending to be legally bound, agree as follows:
1. Definitions. Terms used, but not otherwise defined, in this Agreement have the same meaning as those ascribed to the terms in the Health Insurance Portability and Accountability Act of 1996 (as amended by the Health Information Technology for Economic and Clinical Health Act, Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”)), and the regulations promulgated thereunder as set forth in the Code of Federal Regulations (“C.F.R.”) at Title 45, Part 160, Part 162 and Part 164, and other applicable laws (collectively, “HIPAA”). In addition, the following terms will have the following meanings:
1.1 “Breach” means the same as the term “breach” at 45 C.F.R. 164.402.
1.2 “Breach Notification Rule” means 45 C.F.R. 164.400, et seq.
1.3 “Electronic PHI” means individually identifiable health information that is transmitted or maintained by electronic media as described in HIPAA.
1.4 “Electronic Transactions Rule” means the final regulations issued by HHS concerning standard transactions and code sets under 45 C.F.R. Parts 160 and 162.
1.5 “HHS” means the U.S. Department of Health and Human Services.
1.6 “Identity Theft Enforcement and Protection Act” or “ITEPA” means the Texas Identity Theft Enforcement and Protection Act, Chapter 521 of the Business and Commerce Code.
1.7 “Individual” means the person who is the subject of the PHI, has the same meaning as the term “individual” as defined in HIPAA, and includes a personal representative in accordance with 45 C.F.R. 164.502(g).
1.8 “Medical Records Privacy Act” or “MRPA” means the Texas Medical Records Privacy Act, Chapter 181 of the Health and Safety Code.
1.9 “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, C.F.R. at Title 45, Parts 160 and 164.
1.10 “Protected Health Information” or “PHI” has the same meaning as the term “protected health information” as defined in HIPAA, limited to the information created or received by Business Associate from, or on behalf of, Covered Entity. For purposes of this Agreement, the definition of PHI also includes all other “private,” “personal,” or “sensitive personal information,” as such terms (or substantially similar terms) may be defined under any applicable state laws, including, but not limited to, the ITEPA, notwithstanding such information may not, in all cases, be considered PHI as defined in HIPAA.
1.11 “Reportable Incident” means any successful Security Incident or other actual breach of security, intrusion or unauthorized use or disclosure of Unsecured PHI in violation of this Agreement or Applicable Privacy and Security Laws, in each case, that compromises Covered Entity’s PHI of which Business Associate discovers. Notwithstanding the preceding, an attempted Security Incident will be considered a Reportable Incident only if it is successful.
1.12 “Required by Law” has the same meaning as the term “required by law” as defined in HIPAA.
1.13 “Secretary” means the Secretary of HHS or his or her designee.
1.14 “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
1.15 “Security Rule” means the Standards for the Security of Electronic Protected Health Information, C.F.R. at Title 45, Parts 160, 162 and 164.
1.16 “Subcontractor” means a person (other than a workforce member of Business Associate) to whom Business Associate delegates a function, activity or service Business Associate has agreed to perform for Covered Entity.
1.17 “Transaction” has the same meaning as the term “transaction” as defined in HIPAA.
1.18 “Unsecured PHI” has the same meaning as the term “Unsecured protected health information” as defined in 45 C.F.R. 164.402.
2. Permitted Uses and Disclosures by Business Associate.
2.1 General Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity, if such use or disclosure by Business Associate complies with the Privacy Rule’s minimum necessary policies and procedures required of Business Associate, and if such use or disclosure of PHI would not violate Applicable Privacy and Security Laws if done by Business Associate.
2.2 Limits on Uses and Disclosures. Business Associate agrees that Business Associate will be prohibited from using or disclosing the PHI for any purpose other than as expressly permitted and / or required by this Agreement or the Services Agreement, or permitted by law or as Required by Law.
2.3 Data Aggregation. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. 164.504(e)(2)(i)(B).
2.4 Use for Management, Administration, and Legal Responsibilities. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities.
2.5 Disclosure for Management, Administration, and Legal Responsibilities. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities, provided that:
(a) The disclosure is Required by Law; or
(b) Business Associate obtains, in writing: (i) reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential as provided in this Agreement and will be used or further disclosed only as Required by Law, or for the purpose for which it was disclosed to the person; and (ii) agreement from such person, in accordance with Section 4.11, to notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been Breached.
3. Prohibited Uses and Disclosures. Business Associate will not:
(a) Make or cause to be made, without authorization, any (i) marketing communication about a product or service using PHI, or (ii) written fundraising communication using PHI, that is prohibited under Applicable Privacy and Security Laws;
(b) Disclose PHI to a health plan for payment or health care operations (as defined under the Privacy Rule) purposes if Covered Entity has provided reasonable advance written notice to Business Associate that the Individual has (i) requested this special restriction, and (ii) paid out-of-pocket in full for the health care item or service to which the PHI solely relates, in accordance with the Privacy Rule; except to the extent Business Associate has relied on such use or disclose or an exception applies. Notwithstanding anything else, a disclosure of PHI made through the use of any solutions, products, or software shall be deemed and treated as a disclosure by Covered Entity (and not by Business Associate) if the disclosure was made (i) by or at the specific request of Covered Entity and/or any authorized user(s), or (ii) under Covered Entity or any authorized user account (and not as a result of Business Associate’s negligence); or
(c) Directly or indirectly receive remuneration in exchange for PHI without authorization, except as otherwise permitted by Applicable Privacy and Security Laws; provided, however, that this prohibition does not affect payment by Covered Entity to Business Associate in connection with the Services Agreement.
4. Business Associate Obligations.
4.1 Appropriate Safeguards. Business Associate will establish and maintain reasonable and appropriate administrative, physical, and technical safeguards to:
(a) Prevent the use or disclosure of PHI, other than as permitted and/or required by this Agreement, by, among other things, encrypting Electronic PHI stored on Business Associate-owned laptops and removable media devices or transmitted over the Internet by Business Associate and destroying paper PHI when it is not in use as required by the HIPAA Regulations; and
(b) Protect the confidentiality, integrity, and availability of the Electronic PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
4.2 Security Rule. Business Associate will comply with the applicable policies and procedures and documentation requirements of the Security Rule set forth in 45 C.F.R. 164.308, 45 C.F.R. 164.310, 45 C.F.R. 164.312 and 45 C.F.R. 164.316; including, but not limited to, implementing reasonable and appropriate security measures to protect Electronic PHI.
4.3 Subcontractors. Business Associate will ensure that any Subcontractor to whom Business Associate provides PHI agrees in writing to:
(a) The same restrictions, conditions and obligations that apply to Business Associate with respect to such PHI; and
(b) Implement reasonable and appropriate administrative, physical, and technical safeguards to protect Electronic PHI.
4.4 Right of Access to PHI. Except as otherwise limited in this Agreement, if Business Associate is required by the Services Agreement to maintain Covered Entity’s Designated Record Set, Business Associate agrees to provide access to such PHI maintained by Business Associate (or its Subcontractor(s)) in a Designated Record Set (if applicable and as defined in HIPAA) to Covered Entity in order for Covered Entity to meet the requirements under 45 C.F.R. 164.524, at the receipt of a reasonable advance written request of Covered Entity. If Business Associate maintains an Electronic Designated Record Set, Business Associate will provide such information in electronic format to enable Covered Entity to fulfill its obligations under the Privacy Rule, if readily producible.
4.5 Amendments to PHI. If Business Associate is required by the Services Agreement to maintain Covered Entity’s Designated Record Set, Business Associate agrees to make any amendment(s) to such PHI in a Designated Record Set, if applicable, that Covered Entity agrees to pursuant to 45 C.F.R. 164.526, at the receipt of a reasonable advance written request of Covered Entity, and in a reasonable time and manner. If any Individual requests an amendment of PHI directly from Business Associate, to the extent Business Associate is able to identify the Individual as a patient of Covered Entity, Business Associate must inform the Individual to contact Covered Entity directly or notify Covered Entity in writing within five (5) business days of receipt of the request. Any approval or denial of amendment of PHI maintained by Business Associate will be the responsibility of Covered Entity.
4.6 Access to Books and Records. Business Associate agrees to make Business Associate’s internal policies, procedures, practices, books, and records relating to the use, disclosure, and safeguarding of PHI available to the Secretary, in a reasonable time and manner specified by the Secretary, for purposes of determining Covered Entity’s or Business Associate’s compliance with Applicable Privacy and Security Laws.
4.7 Documentation of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
4.8 Provide Accounting. Business Associate agrees to provide to Covered Entity upon receipt of a reasonable written request from Covered Entity in connection with such a request from the Individual, in a reasonable time and manner, information collected in accordance with Section 4.7, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by Business Associate (for the Term of this Agreement or at least the minimum number of years prior to the request required by 45 C.F.R. 164.528, whichever is shorter. At a minimum, information collected and maintained will include: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, a copy of the Individual’s authorization, or a copy of the written request for disclosure. In the event that the request for an accounting is delivered directly to Business Associate (or its Subcontractor(s)), to the extent Business Associate is able to identify the Individual as a patient of Covered Entity, Business Associate will inform the Individual to contact Covered Entity directly or forward a copy of the request to Covered Entity within five (5) business days of receipt. It will be Covered Entity’s responsibility to prepare and deliver any such accounting requested. The provisions of this Section 4.8 will survive the termination of this Agreement, for only so long as Business Associate maintains such PHI as set forth in Section 6.5 below.
4.9 Limited Data Set or Minimum Necessary. Business Associate will request, use and disclose only a limited data set (as defined in 45 C.F.R. 164.514(e)(2)), or, if needed, the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, as required by the Privacy Rule.
4.10 Mitigation Procedures. In addition to the requirements set forth below in Section 4.11, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
4.11 Reports and Notifications; Unauthorized Use or Disclosure, Security Incident or Breach.
(a) During the term of this Agreement, Business Associate will (unless Business Associate is prevented from doing so on account of a law enforcement investigation as described in 45 C.F.R. 164.412, or a similar provision of applicable state law) notify Covered Entity in accordance with Section 8.6, in writing, within ten (10) business days of the date of Business Associate’s discovery of any Reportable Incident. Such notification will identify, to the extent available, the: (i) date and scope of the Reportable Incident; and (ii) Business Associate’s response to the Reportable Incident, if known. Business Associate agrees to notify Covered Entity of the ongoing existence and occurrence of any attempted but unsuccessful Security Incident, after which no additional report or notice to Covered Entity shall be required.
(b) Business Associate acknowledges that any acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule (except as otherwise provided in the Breach Notification Rule) which compromises the security or privacy of the PHI is presumed to be a Breach unless it can be demonstrated by Business Associate or Covered Entity, that there is a low probability that the PHI has been compromised.
(c) In the event any Reportable Incident is determined by Business Associate or Covered Entity to be a Breach with respect to Unsecured PHI, Business Associate will (in addition to the notification required by Section 4.11(a) above) provide written notification within ten (10) business days of such determination including, to the extent known: (i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach; (ii) a brief description of what happened, including the date of the Breach and the date of the Business Associate’s discovery of the Breach, if known; (iii) a description of the types of Unsecured PHI involved in the Breach; (iv) any steps affected Individuals should take to protect themselves from potential harm resulting from the Breach; (v) a brief description of what Business Associate is doing to (A) investigate the Breach, (B) mitigate harm to Individuals, and (C) protect against further Breaches; and (vi) contact procedures for affected Individuals, which will include a toll-free telephone number, an e-mail address, web site, or postal address; (vii) any additional information required under applicable state breach notification laws.
(d) Business Associate will take prompt corrective action to cure any such Reportable Incident, and at the reasonable request of Covered Entity, any action pertaining to the Reportable Incident required by Applicable Privacy and Security Laws.
(e) For purposes of this Section 4.11, a Reportable Incident will be deemed discovered by Business Associate when Business Associate actually knows of the Reportable Incident or, by exercising reasonable diligence, would have known of the Reportable Incident.
(f) In the event of any conflict between the requirements of this Section 4.11, the Services Agreement or any Applicable Privacy and Security Laws, applicable law will govern
4.12 Compliance with HIPAA. Business Associate, to the extent it is functioning as a “business associate” (as defined in HIPAA) of Covered Entity, will comply with the requirements of the HIPAA Regulations and with the obligations of a “business associate” as proscribed by HIPAA, as amended by the Omnibus Rule. In addition, if Business Associate conducts electronic Transactions on behalf of Covered Entity, in whole or in part, for which HHS has established standards, each Party will comply, and Business Associate will require any Subcontractor it involves with the conduct of such Transactions to comply, with the applicable requirements of the Electronic Transactions Rule. Each Party will also comply with the other requirements of 45 C.F.R. Part 162, if and to the extent applicable.
4.13 Compliance with State Law. Business Associate, to the extent it is functioning as a “covered entity” (as defined in the MRPA), will comply with the applicable requirements of MRPA, including, but not limited to, the training requirements set forth in Section 181.101 of the MRPA. Business Associate will comply with the requirements of Section 521.052 of the ITEPA, and to the extent not otherwise required by Section 4.11, Business Associate will provide any required notifications to Covered Entity (and, at Covered Entity’s request, to any other parties entitled to notification) in accordance with Section 521.053 of the ITEPA. In the event that Business Associate has access to PHI with respect to any Individual who is not a resident of Texas, Business Associate will comply with any applicable state laws similar to the MRPA or ITEPA, including, but not limited to, any notification requirements thereunder.
5. Covered Entity Obligations.
5.1 Provide Notice. Covered Entity will provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. 164.520, as well as any changes to such notice, in a reasonable time and manner, when such copy of the notice or amended notice is required for compliance with the Privacy Rule.
5.2 Provide Changes of Authorization or Permission. Covered Entity will provide, in writing and in a reasonable time and manner, Business Associate with any changes in, or revocation of, authorization or permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
5.3 Provide Restrictions. Covered Entity will notify Business Associate, in writing and in a reasonable time and manner, of any restrictions to the use or disclosure of PHI changing Business Associate’s obligations that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522.
5.4 Permissible Requests by Covered Entity. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under Applicable Privacy and Security Laws, or this Agreement.
5.5 Covered Entity represents and warrants that it has obtained all consents, authorizations, or other permissions necessary under Applicable Privacy and Security Laws.
5.6 Covered Entity agrees to take all reasonable and appropriate steps to ensure compliance with its role as a Covered Entity, including security measures such as firewalls, patch installations, and encryption.
6. Term and Termination.
6.1 Term. The term of this Agreement will commence as of the Effective Date and will terminate either as set forth in Section 6.2 below or when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity in compliance with Section 6.4.
6.2 Termination for Cause. Upon either Party’s knowledge of a material breach of this Agreement by the other Party, the non-breaching Party may provide written notice of such breach to the breaching Party and, if it desires to preserve the right to terminate for such material breach, specify in such breach notice a reasonable period of time of at least sixty (60) days for breaching Party to cure the breach and provide an opportunity for the breaching Party to cure the breach or end the violation. If the breaching Party does not cure the breach or end the violation within the time period specified in the written notice, the non-breaching Party may immediately terminate this Agreement and/or the Services Agreement upon further written notice to the breaching Party. If the parties agree in writing that cure is not reasonably possible, the non-breaching Party may immediately terminate this Agreement and/or the Services Agreement.
6.3 Special Termination. In the event that any federal or state law or regulation currently existing or hereinafter enacted makes performance of this Agreement impossible or illegal, the Parties mutually agree to enter into good faith negotiations to agree on a modification of this Agreement to make substantial performance of this Agreement possible and legal.
6.4 Effect of Termination.
(a) Except as otherwise limited in this Agreement, and except as provided in Section 6.4(b), upon termination of this Agreement, for any reason, Business Associate agrees to return all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, or, destroy such PHI. If Business Associate elects destruction, Business Associate will certify in writing that the PHI has been destroyed and will describe the manner in which it was destroyed. This provision will also apply to PHI that is in the possession of any Subcontractor(s). Business Associate (and its Subcontractor(s)) will retain no copies of the PHI following termination of this Agreement, if feasible.
(b) In the event that Business Associate determines that returning, or destroying, the PHI is not feasible, Business Associate will provide to Covered Entity notification of the conditions that make return or destruction of the PHI not feasible. Upon mutual agreement of the Parties that return or destruction of PHI is not feasible, Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI.
(c) Except as otherwise limited in this Agreement and if permitted by law, termination of this Agreement will not relieve either Party from fulfilling any obligation under this Agreement that, at the time of termination, has already accrued to the other Party or which thereafter may accrue with respect to any act or omission that occurred prior to such termination.
7. Limitation of Liability.
7.1 IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES IN ANY WAY ARISING OUT OF THIS AGREEMENT AND HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS OR LOSS OF DATA, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL BUSINESS ASSOCIATE’S CUMULATIVE LIABILITY ARISING OUT OF THIS AGREEMENT EXCEED THE AMOUNTS ACTUALLY PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE IN THE PROCEEDING 12 MONTHS UNDER THE AGREEMENT, PROVIDED THAT SUCH LIMITATION SHALL NOT BE CONSTRUED TO LIMIT EITHER PARTY’S INDEMNITY OBLIGATIONS UNDER SECTION 8. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
8. General.
8.1 Amendments. The Parties agree to take such action as is necessary to negotiated in good faith to amend this Agreement from time to time as is necessary for Business Associate and the Covered Entity to agree to comply with the requirements of Applicable Privacy and Security Laws that are binding on such Party under such regulations. This Agreement may be amended only pursuant to a written agreement between the Parties. The Parties acknowledge that federal and state laws related to data security and privacy may evolve and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such laws. The Parties understand that Covered Entity must receive satisfactory written assurances from Business Associate that Business Associate will adequately safeguard all PHI.
8.2 Binding Effect. This Agreement will be binding upon, inure to the benefit of, and be enforceable by, the Parties and the Parties’ respective successors and assigns.
8.3 Counterparts. This Agreement may be executed simultaneously in one or more counterparts, each of which will be deemed an original but all of which together will constitute one and the same instrument. Signatures to this Agreement transmitted by facsimile or by e-mail in portable document format (i.e., “.pdf”), or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, will have the same force and effect as manually executed signature pages to this Agreement and will be fully binding and enforceable without the need for delivery of the original manually executed signature page.
8.4 Remedies. All rights and remedies of the Parties under this Agreement will be the sole and exclusive.
8.5 Severability. If any provision of this Agreement is held to be illegal, invalid, or unenforceable under present or future laws, by a court of competent jurisdiction, such provision will be fully severable, and this Agreement will be construed and enforced as if such illegal, invalid, or unenforceable provision never comprised a part of this Agreement; and the remaining provisions of this Agreement will remain in full force and effect and will not be affected by the illegal, invalid, or unenforceable provision or by its severance from this Agreement.
8.6 Notices.
(a) Any notices or communications to be given under this Agreement by either Party to the other Party will be deemed to have been duly given if in writing and (i) personally delivered, (ii) sent by nationally recognized overnight courier, or (iii) sent by mail, certified, postage prepaid with return receipt requested, in each case, at the address for such other Party set forth below:
If to Covered Entity, addressed to:
_________________________
_________________________
_________________________
Attention:
If to Business Associate, addressed to:
McLane Intelligent Solutions, LLC
4001 Central Pointe Parkway
Temple, TX 76504
Attention: Compliance Officer
(b) Notices delivered personally, by courier, or by overnight courier will be deemed communicated as of actual receipt. Mailed notices will be deemed communicated as of 10:00 a.m. on the third business day after mailing. Any Party may change such Party’s address for notice under this Agreement by giving prior written notice to the other Party of such change in the manner provided in this Section 8.6.
8.7 Cooperation. Both Business Associate and Covered Entity acknowledge that mutual reasonable cooperation is essential to each Party’s performance under this Agreement; therefore, it will be the duty of both Parties to make all good faith efforts to reasonably cooperate in the performance of this Agreement.
8.8 Indemnification.
(a) Subject to the indemnification procedures and limitations of liability, each Party (as “Indemnifying Party”) will defend, indemnify, and hold harmless the other (“Indemnified Party”) against any and all (i) incurred damages, liabilities, settlements judgments, costs and expenses resulting from corresponding third party claims and lawsuits that are awarded or adjudged to such third party by a court or arbitration panel or approved in writing by the Indemnifying Party, and (ii) reasonable and necessary out-of-pocket expenses in connection with notifications required by law, in each case, to the extent arising from the unauthorized use or disclosure of PHI to the extent attributable to either a material breach of this BAA or to the negligent acts or wrongful omissions by Indemnifying Party.
(b) Indemnified Party’s right to defense and/or indemnification hereunder is conditioned upon the following: prompt notice to Indemnifying Party and demand for payment of any claim for which indemnity and/or defense is sought; control of the selection of counsel, investigation, preparation, defense and settlement thereof by Indemnifying Party; and reasonable cooperation by the Indemnified Party, at Indemnifying Party’s request and expense, in the defense of the claim. Indemnified Party shall have the right to participate in the defense of a claim by Indemnifying Party with counsel of the Indemnified Party’s choice at the Indemnified Party’s expense.
(c) An Indemnified Party’s sole and exclusive remedy and Indemnifying Party’s sole liability for any breach of this Agreement or negligent acts or wrongful omissions by Indemnifying Party are the remedies set forth in this Section. In no event shall either Party be liable to the other under any contract, negligence, strict liability or other legal or equitable theory for any special, incidental, consequential, exemplary, punitive, or other indirect damages of any character, including, but not limited to, loss of revenue or profits or lost business, even if the Party has been advised of the possibility of such damages.
8.9 Governing Law. To the extent this Agreement is not governed exclusively by federal statutory or regulatory law, it will be governed in accordance with, the laws of the State of Texas (without regard to Texas’ conflicts of laws rules). Venue of any action relating to, or arising out of, this Agreement will lie exclusively in the courts located in Dallas, Texas.
8.10 Equitable Relief. Each Party understands and acknowledges that any unauthorized use or disclosure of PHI in material breach of this Agreement may cause the other Party irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that the non-breaching Party shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further unauthorized use or disclosure of PHI in material breach of this Agreement.
8.11 Assignment. Neither Party will assign this Agreement without the other Party’s prior, express, and written consent, which consent will not be unreasonably withheld, delayed, or conditioned. Notwithstanding the preceding, both parties have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of the assigning Party, without prior approval of the other Party.
8.12 Third Party Beneficiaries. Nothing in this Agreement will be construed to create any third party beneficiary rights, remedies, obligations, or liabilities in any person or entity other than Covered Entity and Business Associate and their respective successors and assigns.
8.13 Waivers. The failure of a Party at any time or times to require performance of any provision of this Agreement will in no manner affect such Party’s right at a later time to enforce such provision. No waiver by a Party of any provision or breach of this Agreement will be effective unless in writing, and no waiver in any one or more instances will be deemed to be a further or continuing waiver in other any instance.
8.14 Force Majeure. Neither Party will be liable or be deemed in breach of this Agreement for any failure or delay of performance that results, directly or indirectly, from acts of God, pandemic, civil or military authority, public disturbance, acts of terrorism, accidents, fires, or any other cause beyond the reasonable control of either Party, and such nonperformance will not be grounds for termination.
8.15 Regulatory References. A reference in this Agreement to a provision or section in any Applicable Privacy and Security Laws means the provision or section (and any implementing regulations, if applicable) in effect on the Effective Date, or as later amended, and for which compliance is required.
8.16 Interpretation. In the interpretation of this Agreement, except where the context otherwise requires, (i) “including” or “include” does not denote or imply any limitation, (ii) “or” has the inclusive meaning “and/or,” (iii) “and/or” means “or” and is used for emphasis only, (iv) the singular includes the plural, and vice versa, and each gender includes each other gender, (v) captions or headings are only for reference and are not to be considered in interpreting this Agreement, (vi) “Section” refers to a section of this Agreement, unless otherwise stated in this Agreement, and (vii) “day” refers to a calendar day unless expressly identified as a business day. Any ambiguity in this Agreement will be resolved in favor of a meaning that permits the Parties to comply with Applicable Privacy and Security Laws.
8.17 Relationship. Business Associate is acting as an independent contractor of Covered Entity with respect to this Agreement. Nothing in this Agreement will create or be deemed to create the relationship of employer/employee, partners, joint ventures, or principal-agent between the Parties. In addition, (i) no Party will have any authority to assume or create any obligation or responsibility whatsoever, express or implied, on behalf or in the name of the other Party, or to bind the other Party in any manner whatsoever, and (ii) no Party will make any representation, warranty, covenant, agreement, or commitment on behalf of the other Party.
8.18 Disclaimer. Subject to Section 5 of this Agreement, Covered Entity makes no warranty or representation that compliance by Business Associate with this Agreement will be adequate or satisfactory for Business Associate’s own purposes under Applicable Privacy and Security Laws. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI.
