Book a Discovery Call

Last Updated August 7, 2019

Backline Terms of Use

DrFirst.com, Inc. (“DrFirst,” “we,” or “us”) provides online and mobile application services (collectively, “Services” ) related to the administration of healthcare, to entities involved in the provision of healthcare who subscribe to the Services (“Subscribers”) as well as individuals who are involved in or support those involved in healthcare, along with those individuals with whom those Subscribers seek to correspond (“End Users” or “you”). The Services may be accessed online through our web site accessible at the URL https://backline.akariobl.com (the “Site”) or through a mobile device by searching for the “Backline” mobile application (“Mobile Application”). Backline is a communication tool, available on the Site and within the Application, which allows healthcare providers, administrators, and support personnel to send and receive secure instant messages to individuals and groups. The Application is provided to End Users only under the applicable terms of use below (the “Terms”).

THIS IS A LEGALLY BINDING AGREEMENT between us and you. PLEASE READ THE TERMS CAREFULLY. BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THESE TERMS, UNDERSTAND THEM, AND AGREE TO BE BOUND BY THEM AND ANY LATER MODIFICATIONS. IF YOU DO NOT AGREE TO ANY OF THE TERMS BELOW, YOUR RIGHT TO ACCESS AND USE THE SERVICES CANNOT BE GRANTED. IF YOU ARE IN THE PROCESS OF ELECTRONICALLY REGISTERING OR ONBOARDING FOR A SPECIFIC SESSION AND YOU DO NOT AGREE WITH THESE TERMS, YOU SHOULD DISCONTINUE THE REGISTRATION OR ONBOARDING PROCESS.

A. END USER REQUIREMENTS
By agreeing to these Terms as an End User, you represent that you are operating, as an End User, Web Based End User, or Subscriber in order to communicate in the facilitation of a healthcare activity such as treatment, payment, or healthcare operations. A “Web Based” End User is an unaffiliated individual with whom the Subscriber or End User has sent a message with a lawful purpose. You must be a Subscriber, End User, or Web Based End User during such time as you access and use the Services. In the event that you cease to be an End User, Subscriber, or Web Based End User, these Terms will automatically terminate.

B. ACCESS TO SERVICES
For so long as these Terms remain in effect and you remain a properly subscribed, registered End User, the Services will remain available to you. You may access the Services by using the Site or through the corresponding Mobile Application software. Subject to these Terms and during such time as you remain a properly subscribed, registered End User, you are granted a limited, non-exclusive, non-transferable license to access and make use of online features of the Services, and to download, install and operate the Mobile Application for the purpose of accessing and using the Services. If you are a Web Based End User, your access to the system is premised solely on a communication from a Subscriber or End User, and the Subscriber or End User is requesting DrFirst contact you on his or her behalf. Any license grant for a Web Based End User shall be solely for access to the limited session initiated by an End User or Subscriber.

C. GENERAL RESTRICTIONS ON USE
If you are an End User, Subscriber, or Web Based End User, then the licenses granted to you will remain in force only for so long as these Terms remain in effect or until your subscription/registration is cancelled or terminated. You may not resell or sublicense access to Services or any of the rights granted to you herein to any third-party. You may not use the Mobile Application or Site except in connection with your personal use of Services as authorized by these Terms. You agree not to reproduce, duplicate, copy, sell, resell or exploit any part of the Services or Mobile Application software. You further agree not to combine or integrate the Services and/or the Mobile Application with software or technology not provided by us, or modify, further develop or create any derivative product based on the foregoing. You may not decompile, disassemble, reverse engineer or otherwise attempt to obtain or access the source code from which any component of the Site, Services and/or Mobile Application is compiled or interpreted, and nothing in these Terms may be construed to grant any right to obtain or use such source code.

D. HIPAA & APPLICABLE LAWS.
As an End User or Subscriber, you agree not to use the Services or Mobile Application to: (a) other than as permitted by HIPAA and HITECH rules as amended from time to time by the government; (b) violate any local, state, national or international law; (c) access any Services subscription account other than your own; or (d) impersonate any person or entity, or otherwise misrepresent your affiliation with a person or entity. You agree to only access, use, and/or disclose the minimum necessary information needed to perform your professional duties. You agree not to access any information or chat logs for any patients that are not under your care and/or treatment. In the event we become aware of your use of the system other than for the purposes outlined in these Terms, we may in our sole and reasonable discretion terminate your account.

To the extent you are an End User or Subscriber and are engaging DrFirst to provide this service on your behalf, you agree to the Business Associate Agreement provided below, unless you have a different Business Associate Agreement in place with DrFirst, in which case that agreement will govern. If you are a Web Based End User, you acknowledge and agree that the information being provided to you by DrFirst, and being provided to DrFirst by you, may be subject to stringent state and federal regulation including HIPAA and HITECH. As a Web Based End User, DrFirst is not acting on your behalf, but facilitating communication to and/or with you on behalf of an End User or Subscriber, and you further agree that you will maintain strict privacy of the information you receive.

E. NO WARRANTIES
THE SERVICES, THE SITE, THE MOBILE APPLICATION AND ALL SERVICES RELATED TO THE FOREGOING ARE PROVIDED “AS IS.” TO THE FULLEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, DRFIRST AND ITS AFFILIATES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, NON-INTERFERENCE, AND SYSTEM INTEGRATION. APPLICABLE LAW MAY NOT ALLOW THE EXCLUSION OF CERTAIN IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. DRFIRST AND ITS AFFILIATES DO NOT WARRANT THAT USE OF THE SERVICES BY REGISTERED END USERS WILL BE UNINTERRUPTED, ERROR-FREE OR VIRUS FREE. THE SUBMISSION OF ANY INFORMATION THROUGH THE DRFIRST SERVICE AND/OR SITE AND THE DOWNLOAD, INSTALLATION AND USE OF MOBILE APPLICATION IS DONE AT YOUR OWN DISCRETION AND RISK AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM AND/OR MOBILE DEVICE OR LOSS OF DATA THAT MAY RESULT FROM SUCH ACTIVITIES OR FROM RELIANCE UPON THE SERVICES. DRFIRST IS NOT THE OWNER OR AUTHOR OF, AND MAKES NO WARRANTIES WITH RESPECT TO, ALL THIRD-PARTY SOFTWARE AND THIRD-PARTY OFFERINGS. ALTHOUGH INFORMATION THAT YOU SUBMIT MAY BE PASSWORD PROTECTED, DRFIRST DOES NOT GUARANTEE THE SECURITY OF ANY INFORMATION TRANSMITTED TO OR FROM THE SITE OR MOBILE APPLICATION, EXCEPT AS MAY BE SET FORTH IN A BUSINESS ASSOCIATE AGREEMENT BETWEEN DRFIRST AND SUBSCRIBER OR END USER; AND YOU AGREE TO ASSUME THE SECURITY RISK FOR ANY INFORMATION YOU PROVIDE USING BACKLINE. DRFIRST DOES NOT GUARANTEE THAT THE “READ” NOTIFICATION IN THE MESSAGE WINDOW MEANS THAT THE INTENDED RECIPIENT HAS ACTUALLY VIEWED THE MESSAGE, MERELY THAT THE MESSAGE HAS BEEN PROPERLY DELIVERED.

F. LIMITATION OF LIABILITY
YOU, AS AN END USER, AGREE THAT YOUR USE OF THE DRFIRST SERVICE, THE SITE AND THE MOBILE APPLICATION IS AT YOUR OWN RISK. THE DRFIRST SERVICE, THE SITE AND MOBILE APPLICATION ARE SOLELY AVAILABLE TO YOU AS AN END USER, WEB BASED END USER, OR END USER OF A SUBSCRIBER. ACCORDINGLY, YOUR REMEDY AGAINST DRFIRST FOR ANY DAMAGE CAUSED TO YOU BY OR FROM (i) BUSINESS INTERRUPTION, (ii) LOSS OR INACCURACY OF INFORMATION, OR (iii) YOUR USE OR INABILITY TO USE THE SERVICES, THE SITE AND/OR THE MOBILE APPLICATION SHALL BE SOLELY LIMITED TO CANCELLATION OF YOUR REGISTRATION TO ACCESS THE SERVICES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEABLE AND EVEN IF DRFIRST WAS ADVISED THAT SUCH DAMAGES WERE LIKELY OR POSSIBLE. YOU ACKNOWLEDGE THAT THIS LIMITATION OF LIABILITY IS AN ESSENTIAL TERM RELATING TO THE PROVISION OF THE SERVICES TO YOU AND DRFIRST WOULD NOT ALLOW YOU OR YOUR SUBSCRIBER TO PERMIT YOUR ACCESS AND USE OF THE SERVICES WITHOUT THIS LIMITATION.

G. INDEMNIFICATION
YOU AGREE TO INDEMNIFY, HOLD HARMLESS AND, AT DRFIRST’S OPTION, DEFEND DRFIRST (INCLUDING ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, LICENSORS, SUPPLIERS AND ANY THIRD-PARTY INFORMATION VENDERS TO THE SITE OR SERVICE) FROM AND AGAINST ALL LOSSES, EXPENSES, DAMAGES, COSTS AND LIABILITIES, INCLUDING REASONABLE ATTORNEYS’ FEES, RESULTING FROM ANY VIOLATION OF THESE TERMS OR ANY ACTIVITY RELATED TO YOUR ACCOUNT (INCLUDING ANY NEGLIGENT OR WRONGFUL CONDUCT, AND INCLUDING YOUR FAILURE TO ENSURE THAT YOU AND/OR OTHER REGISTERED END USERS IN YOUR CONTROL ARE LICENSED MEDICAL PROFESSIONALS WITH THE RIGHT TO PRESCRIBE MEDICINE) BY YOU OR ANY OTHER PERSON ACCESSING THE SERVICES USING YOUR ACCOUNT.

H. DURATION OF TERMS
These Terms will become effective and binding when you have acknowledged your acceptance of all the terms and conditions herein. Once in effect, these Terms will continue in operation until terminated by either you or us.

I. TERMINATION
You may terminate these Terms at any time and for any reason by discontinuing use of the Services. We may terminate these Terms without notice or, at our option, temporarily suspend your access to the Services the Site, and/or the Mobile Application in the event that you breach these Terms. Notwithstanding the foregoing, we also reserve the right to terminate these Terms at any time and for any reason by providing notice to you in accordance with these Terms. After termination of these Terms for any reason, you understand and acknowledge that we will have no further obligation to provide the Services. Upon termination, all licenses and other rights granted to you by these Terms will immediately cease, and you agree to promptly remove the Mobile Application and any copies thereof from your mobile device(s), or your End Users’ mobile device(s), and to destroy any confidential information of ours that you may possess. If you are the Subscriber (as well as the End User) and we terminate these Terms for reasons other than your breach, upon making a request within thirty (30) days from the date of termination, we will refund a pro rata share of any fees or other charges prepaid by you, provided that all fees and other charges prepaid by you are otherwise non-refundable. You agree to pay any amounts accrued but remaining unpaid as of termination.

J. APPLICABILITY OF TERMS AFTER TERMINATION
The following provisions will survive the termination of these Terms: sections C, D, E, F, G, N and P.

K. ACCOUNT INFORMATION
DrFirst reserves the right to share certain account or other information with governmental organizations or other third parties when it believes in good faith that the law or legal process requires it, or when it is necessary to do so to protect the rights or property of DrFirst or others. A password and/or unique user I.D. will be provided to you. You are responsible for maintaining the confidentiality of such passwords and/or user I.D., and you agree that you will be responsible for all use of any such password and/or user I.D., including any access to, or use of, the Services by unauthorized persons. In the event that your password and/or user I.D. is lost or stolen, please notify your Application Administrator immediately so that a new password or user I.D. may be issued promptly.

L. MODIFICATIONS TO TERMS
We may change these Terms from time to time. We will notify you of any such changes via e-mail (if you have provided a valid email address) and/or by posting notice of the changes on the Site. Except as may otherwise be required in the Privacy Policy, any such changes will become effective when notice is received or when posted on the Site, whichever first occurs. If you object to any such changes, your sole recourse will be to terminate these Terms. Continued use of the Services, the Site and/or the Mobile Application following notice of any such changes will indicate your acknowledgement of such changes and agreement to be bound by the revised Terms, inclusive of such changes. In addition, certain aspects of the Services may be subject to additional terms of use. By using such aspects, or any part thereof, you agree to be bound by the additional terms of use applicable to such aspects. In the event that any of the additional terms of use governing such aspects conflict with these Terms, the additional terms will govern.

M. MODIFICATIONS TO SERVICES
We reserve the right to modify or discontinue the Services with or without notice to you. We will not be liable to you or any third party should we exercise our right to modify or discontinue the Services, except as set forth in section F above. If you object to any such changes, your sole recourse will be to terminate these Terms. Continued use of the Services, the Site, or the Mobile Application following notice of any such changes will indicate your acknowledgement of such changes and satisfaction with the Services as so modified.

N. OWNERSHIP
As between you and us, we and/or our vendors and suppliers, as applicable, retain all right, title and interest in and to the Services, the Site and all Mobile Application Software, and all information, content, software and materials provided by or on behalf of DrFirst. You may not copy, reproduce, distribute or create derivative works from such information, content, software and materials or remove any copyright or other proprietary rights notices contained in such information, content, software and materials without the copyright owner’s prior written consent.
Your feedback is welcome and encouraged. You agree, however, that (i) by submitting unsolicited ideas to DrFirst, you automatically forfeit your right to any intellectual property rights in these ideas; and (ii) unsolicited ideas submitted to DrFirst or any of its employees or representatives automatically become the property of DrFirst.

O. REPRESENTATIONS AND WARRANTIES
You represent and warrant that all information that you provide to us will be true, accurate, complete and current, and that you have the right to provide such information to us in connection with your use of the Services.

P. GENERAL TERMS
You shall comply with all laws, rules and regulations now or hereafter promulgated by any government authority or agency that are applicable to your use of the Services, the Site, the Mobile Application or the transactions contemplated in these Terms. Any attempt to sublicense, assign or transfer any of the rights, duties or obligations hereunder or to exceed the scope of these Terms is void. These Terms will be subject to and construed in accordance with the laws of the State of Maryland, excluding conflict of law principles. You consent to jurisdiction and venue exclusively in the State of Maryland. These Terms constitute the entire agreement between you and DrFirst with regard to the matters described herein and govern your use of the Services, the Site and the Mobile Application, superseding any prior agreements between you and DrFirst with respect thereto (except as described in section I above). The failure of DrFirst to exercise or enforce any right or provision of these terms shall not constitute a waiver of such right or provision. If any provision of these terms is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions of these Terms shall remain in full force and effect. You remain responsible for any applicable carrier, data use, or similar fees associated with use of the Mobile Application or Services on a mobile device. You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to use of the Services or these Terms of Use must be filed within one (1) year after such claim or cause of action arose or be forever barred.

 

THE TERMS IN THE FOLLOWING SECTION APPLY ONLY TO END USERS USING MEDHX

A. Requirements
By using these Services, you represent that you are:

•  A licensed medical professional in the state(s) or jurisdiction(s) in which you practice;
•  An employee, agent, or authorized representative of a license medical professional for whom you work; and/or
•  An authorized employee of a health care provider (including a health care facility or institution).

For as long as these Terms are in effect, you agree that you shall continue to be an individual authorized by a healthcare provider, facility, or institution to access and use MedHx. In the event you no longer qualify as one of the four individuals above, these Terms shall automatically terminate, and you agree to immediately notify us and you will no longer access or use MedHx. You also agree that you will not misrepresent your status as one of the four individuals above in the event you are no longer authorized by your organization to access MedHx.

B. General Restrictions on Use
You agree not to use MedHx to: (a) violate any local, state, national or international law; (b) access any Backline account other than your own; or (c) impersonate any person or entity, or otherwise misrepresent your affiliation with a person or entity.

C. Representations and Warranties
You represent and warrant that to the extent you access protected health information (PHI) while using MedHx, that you have not been convicted of a felony or misdemeanor related to theft or fraud.

 

BUSINESS ASSOCIATE AGREEMENT

To the extent HIPAA and HITECH require a Business Associate Agreement between you and DrFirst, and DrFirst is acting on your behalf as a Business Associate, you agree to the terms of this Business Associate Agreement, unless you have a different Business Associate Agreement in place with DrFirst, in which case that agreement will govern.

RECITALS
This Business Associate Agreement (“Agreement”) is made and entered into as of the date executed (“Effective Date”) by and between DrFirst.com, Inc. (the “Business Associate,” as further defined below), whose address is 9420 Key West Avenue, Suite 101, Rockville, MD 20850, and End User (the “Covered Entity,” as further defined below), (collectively, the “Parties”).

WHEREAS, the End User may be a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and DrFirst.com, Inc. is a “Business Associate” as defined under HIPAA;

WHEREAS, in connection with the Backline Terms of Use entered into between Business Associate and Covered Entity to provide certain services to or on behalf of Covered Entity (“Service Agreement”), Covered Entity may provide Business Associate with Protected Health Information or may require Business Associate to create, use, maintain, or transmit Protected Health Information on behalf of Covered Entity;

WHEREAS, the Parties enter into this Agreement for the purpose of ensuring compliance with HIPAA and relevant implementing regulations, including the Privacy Rule (defined below), the Security Rule (defined below), and the Breach Notification Rule (defined below);

NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

I. DEFINITIONS AND INTERPRETATION

1.1 Definitions Generally.

1.1.1 “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
1.1.2 “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
1.1.3 “Electronic Protected Health Information” or (“EPHI”) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.1.4 “Privacy Rule” shall mean the Standards for Privacy of
1.1.5 Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
1.1.6 “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.1.7 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
1.1.8 Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.

1.2 Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations or any binding interpretation thereof, said conflict will be resolved in accordance with the rules of presence. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.

1.3 State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.

1.4 Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.

II. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE

2.1 Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI received by the Business Associate as necessary to perform functions, activities or services for or on behalf of the Covered Entity as specified in the Service Agreement and including but not limited to:

2.1.1 Facilitating the processing of administrative, clinical and financial healthcare transactions;
2.1.2 Treatment of patients of the Covered Entity;
2.1.3 Establishing and maintaining Business Management Programs;

2.2 Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.

2.3 De-Identification. The Business Associate may de-identify PHI received or created pursuant to the Service Agreement consistent with 45 C.F.R. § 164.514.

2.4 Other Permitted Uses. The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.

2.5 Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if:

2.5.1 Required By Law; and/or
2.5.2 Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.

2.6 Report Violations of Law. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

III. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

3.1 Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement.

3.2 Safeguards Against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.

3.3 Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.

3.4 Agreements with Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.

3.5 Obligations on Behalf of the Covered Entity. To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.

3.6 Access to PHI. The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual or a third party designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.

3.7 Amendment of PHI. The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity (or an Individual as directed by the Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designed by the Covered Entity. If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.

3.8 Accounting of Disclosures.

3.8.1 The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
3.8.2 The Business Associate shall provide to Covered Entity information collected in accordance with Section 4.8.1 of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.

3.9 Retention of Protected Health Information. Notwithstanding Section 8.3 of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section 4.8.1 of this Agreement for a period of six (6) years after termination of the Service Agreement.

3.10 Minimum Necessary. The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

3.11 Availability of Information. The Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.

IV. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

4.1 Compliance with the Security Rule. The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.

4.2 Subcontractors. The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.

4.3 Security Incident/Breach Notification Reporting. The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.

V. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

5.1 Notification Requirement. To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach.

5.2 Content of Notification. Any notice referenced above in Section 6.1 of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.

VI. OBLIGATIONS OF THE COVERED ENTITY

6.1 Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.

6.2 Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

6.3 Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.

6.4 Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.

VII. TERM AND TERMINATION

7.1 Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity; or in the event that it is not feasible to return or destroy said PHI, protections are extended to such information with the termination provisions herein provided or as permissible by the applicable Regulations.

7.2 Termination for Cause. Upon the Covered Entity’s knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.

7.3 Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. In the event that the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.

7.4 Retention of Certain Information. The Business Associate shall retain no copies of the aforementioned PHI; however, the Covered Entity understands and agrees that information relating to individual prescription transactions submitted by use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.

VIII. MISCELLANEOUS

8.1 Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.

8.2 Amendments. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.

8.3 Survival. The respective rights and obligations of Business Associate under Article V of this Agreement shall survive the termination of this Agreement.

8.4 Entire Agreement. This Agreement is the entire agreement between the Parties with regard to its subject matter and shall supersede any prior agreements.

 

DISCLAIMER: Images viewed on non-high-resolution devices are for informational purposes only.