1. Accepting the agreement
By clicking the "EXECUTE CONTRACT" button displayed as a part of the online registration process, you are indicating that you expressly accept the following terms and conditions in this legal agreement (the "Agreement") between you and any organization you represent (collectively, "you" or the "Customer") and Demandforce, Inc., a wholly owned subsidiary of Intuit Inc. ("Demandforce"), governing your use of Demandforce's online service and any related software you may install on your computer (the "Service"), including the Business Associate Agreement, located at Section 19 in this Agreement, if you are a Covered Entity or a Business Associate under HIPAA (if you are not subject to HIPAA compliance, the Business Associate Agreement shall not apply). If you are entering into this Agreement, you represent that you are authorized to accept the terms of this Agreement on behalf of yourself or the organization you represent. If you do not have such authority, or if you do not agree with the terms and conditions of this Agreement, you must not click on the "EXECUTE CONTRACT" button and must close the Electronic Contract, and may not use the Service.
2. License grant & restrictions
Demandforce hereby grants the Customer, during the terms of this Agreement, the non-exclusive, non-transferable, worldwide right to use the Service, solely for the Customer's own internal business purposes, subject to the terms and conditions of this Agreement. All rights not expressly granted to the Customer are reserved by Demandforce and its third party licensors or suppliers (collectively, the "Licensors").
The Customer shall not (i) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Service or the content provided by or on behalf of Demandforce through the Service (the content) in any way; (ii) modify or make derivative works based upon the Service or the Content; (iii) create Internet "links" to the Service or "frame" or "mirror" any Content on any other server or wireless or Internet-based device; or (iv) reverse engineer or access the Service in order to (a) build a competitive product or service, (b) build a product using similar ideas, features, functions or graphics of the Service, or (c) copy any ideas, features, functions or graphics of the Service.
Customer agrees that Demandforce may publish, modify and amend any and all content appearing within demandforce.com, demandforced3.com, and all other internet domains or content feeds owned, managed, or controlled by Demandforce, including content consisting of promotions, advertisements and listings for non-competing local businesses, or products and services offered by Demandforce.
3. Ownership of intellectual property rights and Customer Data
The parties acknowledge and agree that, subject to the license grants contained in this Agreement, Licensor, retains all right, title and interest, including all related intellectual property rights, in and to the Demandforce technology, the Content and the Service and any suggestions, ideas, enhancement requests, feedback, recommendations (collectively, Feedback) or other information provided by the Customer or any other party relating to the Service. Customer retains all right, title and interest to any and all patient or customer data including consumer review data captured by the Demandforce system ("Customer Data") provided to Demandforce, subject to Demandforce's right to use such Customer Data to provide the Service to Customer. This Agreement is not a sale and does not convey any rights of ownership in or related to the Demandforce Service, Demandforce technology, Demandforce Content, or Demandforce intellectual property to the Customer except for the limited licenses granted to the Customer under this Agreement. Any and all software, algorithms, applications, source codes, structures, sequences, routines, sub-routines and related programming, engineering or technological matter developed or created by Demandforce or its Licensors (and all copyrights, patents, trademarks and other proprietary rights related thereto) shall remain the sole, exclusive and perpetual property of Demandforce or its Licensors.
The trademarks, trade names, service names or logos associated with the Service (collectively, the "Marks") are trademarks of Demandforce or its Licensors, and no right or license is granted to use them. Customer hereby acknowledges Demandforce or its Licensors' perpetual and exclusive ownership of and title to the Marks and the goodwill attaching thereto. Customer agrees not to use or attempt to register any Mark that is confusingly or deceptively similar to the Marks.
4. Customer responsibility and passwords; Third-party software
You are responsible for all activity occurring under your User accounts and shall abide by all applicable local, state, national and foreign laws, treaties and regulations in connection with your use of the Service, including those related to data privacy, international communications and the transmission of technical or personal data. You also will choose a password and a user name. You are entirely responsible for maintaining the confidentiality of your password and account. Furthermore, you are entirely responsible for any and all activities that occur under your account. You agree to notify Demandforce immediately of any unauthorized use of your account or any other breach of security. Demandforce will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. Customer warrants and represents that: (i) the content to be transmitted by or on behalf of Customer does not constitute SPAM; (ii) the content to be transmitted by or on behalf of Customer is not illegal, threatening, hateful, vulgar, obscene, libelous or defamatory and does not and will not infringe upon any trademark, patent, copyright, trade secret or other proprietary, publicity or privacy right of any third party; and (iii) Customer has complied and will comply with all applicable laws respecting its execution and performance of this Agreement.
The Demandforce Service receives data from third-party software systems, which will be designated by Customer in the process of setting up the Demandforce Service. If Customer elects to change, upgrade or materially alter the third party software system from which Demandforce receives data, Demandforce does not guarantee that all Customer Data or Service functionality will be preserved. Customer is responsible for communicating any changes in data structure, management system, or hardware upgrades that may impact Demandforce's ability to receive and process Customer Data. In addition, Customer is responsible for providing Demandforce with accurate instructions and information regarding the third party systems and databases that the Service will interface with, and bears all responsibility for incomplete, inaccurate or otherwise faulty information regarding third party systems and Customer databases conveyed to Demandforce in connection with its set up or maintenance of the Service.
5. Client data and account information
Demandforce does not own any Customer Data, information or material that you submit to the Service in the course of using the Service. Except in accordance with Section 19 of this Agreement or as required by law, Customer Data will not be disclosed, sold, assigned, licensed or otherwise disposed of by Demandforce to any third party. You, not Demandforce, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of all Customer Data, and, except as provided in Section 19 of this Agreement or as required by law, Demandforce shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any Customer Data, or for the improper or erroneous upload or extraction of any Customer Data. Demandforce reserves the right to withhold, remove and/or discard Customer Data without notice for any breach, including, without limitation, your non-payment. Upon termination for cause, your right to access or use Customer Data immediately ceases, and, except as set forth in Section 16 below, Demandforce shall have no obligation to maintain or forward any Customer Data.
6. Limited liability
IN NO EVENT SHALL DEMANDFORCE, ITS SUBSIDIARIES, OFFICERS, DIRECTORS, EMPLOYEES, LICENSORS, PARTNERS OR AFFILIATES BE LIABLE FOR: (I) ANY INDIRECT, INCIDENTAL, UNFORESEEABLE, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES; (II) ANY DAMAGES FOR LOSS OF PROFITS, LOSS OF EARNINGS OR LOSS OF BUSINESS OPPORTUNITIES, EVEN IF DEMANDFORCE HAS BEEN ADVISED OR WARNED BY CUSTOMER OF THE POSSIBILITY OF SUCH DAMAGES; (III) COSTS OF PROCUREMENT OR SUBSTITUTE GOODS OR SERVICES; (IV) LOSS OF DATA OR OTHER CUSTOMER CONTENT RESULTING FROM DELAYS, NON-DELIVERIES, MISDELIVERIES, SECURITY BREACHES TO, SERVICE INTERRUPTIONS TO, OR ERRORS OR OMISSIONS RESPECTING THE SERVICE OR THE OPERATION OF DEMANDFORCE OR ITS LICENSORS' NETWORKS; (V) LOSSES OR LIABILITIES DUE IN WHOLE OR IN PART TO MARKETING MATERIALS CREATED AND DISTRIBUTED BY CUSTOMER, WHETHER OR NOT SUCH MATERIALS ARE IN VIOLATION OF APPLICABLE LAW OR REGULATION, INCLUDING HIPAA; OR (VI) LOSSES OR LIABILITIES DUE IN WHOLE OR IN PART TO INADVERTENT, PREMATURE OR UNAUTHORIZED RELEASE OR DISCLOSURE OF INFORMATION BY CUSTOMER VIA DEMANDFORCE OR ITS LICENSORS' NETWORKS. THE TOTAL CUMULATIVE LIABILITY OF DEMANDFORCE TOGETHER WITH ITS SUBSIDIARIES, OFFICES, DIRECTORS, EMPLOYEES, LICENSORS, PARTNERS AND AFFILIATES TO CUSTOMER OR ANY THIRD PARTIES IN ANY CIRCUMSTANCE ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICE IS LIMITED TO THE AMOUNT OF FEES CUSTOMER PAYS TO DEMANDFORCE IN THE 12 MONTHS PRIOR TO THE ACTION GIVING RISE TO LIABILITY.
The foregoing limitations will apply even if Demandforce has been notified of the possibility of such damages and notwithstanding the failure of the essential purpose of any limited remedy. No action or claim relating to this Agreement shall be made against Demandforce or its Licensors, subsidiaries, officers, directors, employees, partners or affiliates by Customer or on Customer's behalf more than 12 months after the event giving rise to such action or claim.
You agree to indemnify and hold Demandforce (including its parent, subsidiaries, affiliates, officers, directors, agents, and employees, contractors, sub-contractors, Licensors, partners and affiliates) harmless from any claim or demand, including reasonable attorney's fees, made by any third party due to or arising out of your breach or alleged breach of this Agreement or the documents it incorporates by reference, or your violation of any law or the rights of a third party (including without limitation any negligent, willful, tortious or illegal conduct by you affecting a third party).
This Agreement is an annual commitment billed in accordance with Section 10 below. This Agreement will automatically renew on the anniversary of the Effective Date of this Agreement unless Demandforce is notified in writing at least 30 days prior to the renewal date.
10. Billing & pricing
Demandforce charges and collects in advance for use of the Service. Demandforce will automatically renew and bill your credit card or issue an invoice to you (a) every month for monthly licenses and fees, (b) every quarter for quarterly licenses and fees, (c) each year on the subsequent anniversary for annual licenses, or in (d) an otherwise mutually agreed upon manner. The renewal charge will be equal to the then-current license fee in effect at the time of renewal. Fees for other services will be charged on an as-quoted basis, including but not limited to:
10.1 Email Finder product.
Demandforce works with a third-party provider to gather email addresses for individuals in your customer database for which you do not currently have email addresses on file. By opting in to use Demandforce's email finder product you will be subject to the recurring monthly service fee once email finder begins for that calendar month; email finder begins once we have passed your data to our third-party provider. The fees are per valid email returned each month from the provider.
10.2 Postcard product.
By opting in to use Demandforce's postcard Product you will be subject to the service fees per printed postcard. You assume full responsibility that any custom content you submit is correct and in the event that you submit incorrect information, misspellings, grammatical errors, or the like, you agree to pay any and all associated fees.
10.3 Listing service.
The Listing Service (defined below) is provided free of charge. Demandforce reserves the right to terminate the Listing Service as to you or any other customer at any time for any reason or no reason. Demandforce's fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, and you shall be responsible for payment of all such taxes, levies, or duties, excluding only United States (federal or state) taxes based solely on Demandforce's income.
10.4 Demandforce Connect for Facebook.
Demandforce Connect for Facebook is an add-on service that bears a separate monthly subscription fee, as well as certain installation fees, as quoted on our website, and which are subject to change from time to time. Demandforce Connect for Facebook services require a valid Demandforce D3 subscription to be in place. By electing to subscribe to Demandforce Connect for Facebook, you agree to pay all monthly subscription fees through the remainder of the term of your Demandforce D3 service agreement, billed in accordance with our normal monthly billing procedures. Your subscription to Demandforce Connect for Facebook will automatically renew along with any renewal of your Demandforce D3 subscription, unless you provide us with written notice of cancellation not less than 30 days prior to the end of the then-current term. Demandforce bears no responsibility for, and makes no warranty as to, the content published on your Facebook pages, or any other matter related to your utilization, or that of others, of Facebook, its applications, features and functions.
Unless otherwise stated, Our fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including but not limited to value-added, sales, use or withholding taxes, assessable by any local, state, provincial, federal or foreign jurisdiction (collectively, "Taxes"). You are responsible for paying all Taxes associated with your purchases or use of Demandforce. If Demandforce has the legal obligation to pay or collect Taxes for which you are responsible under this paragraph, the appropriate amount shall be invoiced to and paid by you, unless You provide Demandforce with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Demandforce is solely responsible for taxes assessable against it based on its income, property and employees.
11. Demandforce guarantee; limitations
Subject to the provisions of this Section, Demandforce shall credit your account an amount equal to the monthly subscription fee paid by you for a given calendar month in the event that you do not receive at least $3 in Program Value (defined below) for every $1 of monthly subscription fee paid by you in such month. Any such credit will apply to the next month (the month following the month for which a refund is requested). To qualify for such credit you must (1) be an existing Demandforce customer in good standing, (2) have at least 250 bona fide customers with valid email addresses entered into the Service, (3) be signed-up for Email Finder, (4) must have executed a custom promotion or newsletter within the past 45 days, (5) have communications and other key product functionality enabled, and (6) complete and submit the Refund Request Form within 15 days of the end of the month in question. Program Value equals the sum of the following amounts for the month in question:
- $1,000 for each new customer/patient that is generated by the Service
- $500 for each lost customer/ or patient visit that is generated through the Service
- Total appointment revenue from a new or existing customer who was contacted via the Service and received service from you within a 60 day time period
- $30 for each customer satisfaction survey completed during such month
- $20 for each existing appointment that is re-confirmed by the customer or patient
- $50 for each referral made during such month whether the referral resulted in an appointment or not
- $30 for each public review completed during such month
12. Credit card authorization
By submitting your credit/debit card ("Bank Card") data to Demandforce, you authorize Demandforce in its complete discretion to submit a financial transaction(s) to your issuing bank for settlement. You agree that once Demandforce has approved or declined your transaction, Demandforce has fully performed under the terms of this Agreement. You agree to contact Demandforce in the event that you desire to cancel any recurring charge, prior to the next billing cycle. Should you fail to contact Demandforce, you agree to indemnify and hold Demandforce harmless from any losses or damages that you suffer as a result of a recurring charge. Demandforce may be contacted at: email@example.com or Demandforce, 22 4th Street, 12th Floor, San Francisco, CA 94103, (415) 904-8080. If you think that there is an error on your account, including an incorrect amount or unauthorized transaction, you agree to contact Demandforce prior to the next billing cycle. Upon proper notification, Demandforce, in its sole discretion may issue a credit to your Bank Card.
13. Representations & warranties
Each party represents and warrants that it has the power and authority to enter into this Agreement. Demandforce represents and warrants that it will provide the Service in a manner consistent with generally accepted industry standards. Customer represents and warrants that Customer has not falsely identified itself or its corporate entity nor provided any false information to gain access to the Service and that all Bank Card and other billing information that Customer has provided is correct. THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". EXCEPT AS EXPLICITLY SET FORTH ABOVE, DEMANDFORCE IS NOT PROVIDING ANY WARRANTIES AND REPRESENTATIONS REGARDING THE SERVICE, CONTENT OR TECHNOLOGY, AND DEMANDFORCE AND ITS LICENSORS, DISTRIBUTORS, PARTNERS AND AFFILIATES (COLLECTIVELY, THE “AFFILIATES”) DISCLAIM ALL WARRANTIES AND REPRESENTATIONS OF ANY KIND WITH REGARD TO THE SERVICE, CONTENT AND TECHNOLOGY, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, FREEDOM FROM VIRUSES OR OTHER HARMFUL CODE, OR FITNESS FOR ANY PARTICULAR PURPOSE. FURTHER, DEMANDFORCE AND THE AFFILIATES WILL NOT BE LIABLE FOR ANY DELAY, DIFFICULTY IN USE, INACCURACY OF INFORMATION, COMPUTER VIRUSES, MALICIOUS CODE OR OTHER DEFECT IN THE SERVICE, OR FOR ANY OTHER PROBLEMS EXPERIENCED BY THE CUSTOMER DUE TO CAUSES BEYOND DEMANDFORCE'S OR THE AFFILIATES’ CONTROL.
14. Email compliance
Demandforce has worked to achieve email compliance. You agree to comply with all elements of CAN-SPAM and safe sender email practices. This includes but not limited to including unsubscribe links, your full contact information in all correspondence, and not releasing private and/or confidential information. You may only use email services for those customers with which you have an existing business relationship and which have indicated that they accept correspondence from you. You may not attempt to spoof sender domains, send spam or other offending email practices including those covered in Section 4 of this agreement. Because of carrier technologies, Demandforce makes no expressed or implied warranty of individual message receipt. Demandforce is not liable for any issues that arise associated with the content that you provide or unforeseen liabilities of it being delivered.
15. Text message compliance
Demandforce has worked to achieve carrier certification for your text message delivery. To maintain this certification, you agree to adopt the double opt-in process comprising of 1) you may only use text message services for those customers with which you have an existing business relationship and which have indicated that they accept correspondence from you and 2) the customers must reply to an opt-in message from their handset. For reliable delivery, you must adhere to message limitations including length and delivery. You may not attempt to spoof sender domains, send spam or other offending text message practices including those covered in Section 4 of this Agreement. Because of carrier technologies, Demandforce makes no expressed or implied warranty of individual message receipt. Standard text message rates apply for all text message services. Demandforce uses “short code” technology to engage in 2-way sms communication with consumers and does not guarantee delivery to all mobile carriers if short code technology is not accepted. Demandforce is not liable for any issues that arise associated with the content that you provide or unforeseen liabilities of it being delivered.
16. Listing services; Intuit Local
Demandforce may offer a complimentary listing service (the "Listing Service") under which your business information and customer reviews (collectively, the "Business Information") are submitted to search engines, indexes and web sites, as well as to the Demandforce service referred to as "Intuit Local." You agree to participate in the Listing Service, and allow Demandforce to make this data available and provide registration services to Intuit Local and third party sites. It is up to third party sites to accept the submissions, and Demandforce makes no warranty as to such sites' willingness to do so. For so long as Customer continues to subscribe to the Service, Demandforce will make a good faith attempt to ensure accuracy and confidentiality of the information we provide to third party sites under the Listing Service. We have no control of third party web sites or resources that are provided by companies or persons other than that of Demandforce. Additional tools may be available from the third parties to provide additional updates to your information, but if you use such services, Demandforce is not liable for any claim arising out of the combination of such services with the information provided by the Listing Service. In addition to the terms set forth in this agreement, you agree to abide by the terms set forth in our Public Review Policy, as the same may be amended from time to time by Demandforce, the terms of which are available at www.demandforce.com.
Demandforce may terminate your participation in the Listing Service, or this Agreement, at any time in the event that Demandforce determines that you are not in compliance with the Public Review Policy. Upon termination of this Agreement by either party, the Business Information and any consumer reviews may remain in any data feeds provided to third parties under the Listing Service but is subject to removal at any time as determined by Demandforce. You may request explicit removal of the Business Information from such data feeds in writing. Upon request at any time up to 30 days following termination of this agreement, Demandforce will provide you with an electronic copy of your Business Information, including consumer reviews.
17. Governing law; venue; waiver of class action
This Agreement will be interpreted, construed, and enforced in all respects in accordance with the laws of the State of California, without reference to its choice of law principles to the contrary. The Customer will not commence or prosecute any action, suit, proceeding or claim arising under or by reason of this Agreement other than in the state or federal courts located in San Francisco, California. The Customer irrevocably consents to the jurisdiction and venue of the courts identified in the preceding sentence in connection with any action, suit, proceeding, or claim arising under or by reason of this Agreement. To the extent permitted by applicable law, each party agrees that it will not bring or participate in any class action against the other party or its partners or affiliates relating to this Agreement or the Services, and each party hereby waives any rights to bring such claims.
If any provision of this Agreement is found to be invalid or unenforceable, then the remainder of this Agreement will have full force and effect, and the invalid provision will be modified, or partially enforced, to the maximum extent permitted to effectuate the original objective. This Agreement will bind and inure to the transferee of a party’s business, and will be enforceable in the event of a change in ownership or control. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and merges and supersedes all prior agreements, understandings, negotiations, and discussions. Neither of the parties will be bound by any conditions, definitions, warranties, understandings, or representations with respect to the subject matter hereof other than as expressly provided herein. Failure by either party to enforce any term of this Agreement will not be deemed a waiver of future enforcement of that or any other term in this Agreement or any other agreement that may be in place between the parties. The section headings contained in this Agreement are for reference purposes only and will not affect in any way the meaning or interpretation of this Agreement. This Agreement is not intended to confer any right or benefit on any third party, and no action may be commenced or prosecuted against a party by any third party claiming as a third-party beneficiary of this Agreement or any of the transactions contemplated by this Agreement. No oral explanation or oral information by either party hereto will alter the meaning or interpretation of this Agreement. No amendments or modifications will be effective unless in a writing signed by authorized representatives of both parties.
19. BUSINESS ASSOCIATE AGREEMENT
Status of the parties.The parties hereby acknowledge and agree that Customer is subject to HIPAA compliance as a covered entity (Covered Entity), or as a Business Associate, and that Demandforce is a Business Associate of Covered Entity under the HIPAA Privacy Regulations, the HIPAA Security Regulations and the HITECH Standards, defined below.
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and
WHEREAS, the American Recovery and Reinvestment Act (“ARRA“) of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act, and the HIPAA Final Omnibus Rule of 2013, and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy Rule (hereby referred to as the “Arrangement Agreement”); and
WHEREAS, Business Associate may have access to Protected Health Information (“PHI”), as defined below, in fulfilling its responsibilities under such arrangement;
THEREFORE, in consideration of the Parties’ continuing obligations under the Arrangement Agreement, compliance with the HIPAA Security and Privacy Rule, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties.
19.1.1 Except as otherwise defined herein, any and all capitalized terms in this Section shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control.
19.1.2 The term “Protected Health Information” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined below.
19.1.3 The term “Electronic Protected Health Information” means Protected Health Information which is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media.
19.1.4 Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Agreement.
19.2 Confidentiality and Security Requirements
19.2.1 Business Associate agrees to the following obligations.
18.104.22.168 Use or Disclosure of PHI. Business Associate agrees to use or disclose any Protected Health Information solely: (i) for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, for services as described in such agreement(s), or (ii) as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, and (iii) as would be permitted by the HIPAA Security and Privacy Rule if such use or disclosure were made by Covered Entity. All such uses and disclosures shall be subject to the limits set forth in 45 CFR § 164.514 regarding limited data sets and 45 CFR § 164.502(b) regarding the minimum necessary requirements.
22.214.171.124 Disposition of PHI. Upon termination of this Agreement, the Arrangement Agreement (or any similar documentation of the business relationship of the Parties), or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form and retain no copies of such information. It may not be feasible for Business Associate to return or destroy all copies of customer data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the information and limit further uses and disclosures solely to those purposes as originally intended under this Agreement.
126.96.36.199 Security of PHI. Business Associate agrees to ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from or created by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply to Business Associate with respect to such information, receives appropriate training, and agrees to implement reasonable and appropriate safeguards to protect any of such information which is Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement.
188.8.131.52 Notification of Breach of PHI. Business Associate shall, following the discovery of a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, notify the Covered Entity of such breach pursuant to the terms of 45 CFR § 164.410 and cooperate in the Covered Entity’s breach analysis procedures, including risk assessment, if requested. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than twenty (20) calendar days after discovery of the breach. Such notification will contain the elements required in 45 CFR § 164.410.
184.108.40.206 Breach of PHI by Covered Entity or by Customer/Owner of PHI. In the event that a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity’s breach analysis procedures, including risk assessment and determination of the extent of access of such unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then current rates.
220.127.116.11 Compliance. Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.
18.104.22.168 Permitted Use of PHI. Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health Information:
22.214.171.124.1 if necessary, for the proper management and administration of Business Associate services or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, (i) the disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or
126.96.36.199.2 for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship, or as mutually agreed in writing by both Parties. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
19.3 Safeguarding PHI. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
19.4 Audit of Business Associate’s Records. The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Security and Privacy Rule.
19.5 Unauthorized Use of PHI. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this Agreement of which it becomes aware. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For purposes of this Agreement, “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
19.6 Availability of PHI
19.6.1 Restrictions on Disclosures of PHI. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity.
19.6.2 Access. Business Associate agrees to comply with any requests for preferences of access of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity, if any. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule.
19.6.3 Accounting. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.
19.7 Term and Termination
19.7.1 Term. This Agreement shall commence on the Business Associate Agreement Effective Date and shall continue until (i) either party terminates this Agreement in writing; or (ii) the owner of the customer data, or PHI, deletes all data from or otherwise terminates or ceases use of, or payment for, the products or services provided by Business Associate in connection with such PHI, in which case this Agreement will be deemed terminated.
19.7.2 Termination for Cause. Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement and the Arrangement Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement. If Covered Entity reasonably believes that Business Associate will violate a material term of this Agreement and, where practicable, Covered Entity gives written notice to Business Associate of such belief within a reasonable time after forming such belief, and Business Associate fails to provide adequate written assurances to Covered Entity that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Covered Entity shall have the right to terminate this Agreement and the Arrangement Agreement immediately.
19.8.1 No Third Parties; Survival. Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Agreement do not intend to create any rights in any third parties. The obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Agreement, the Arrangement Agreement and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
19.8.2 Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law. This Agreement is the entire agreement between the parties in connection with the subject matter herein and this Agreement may be amended or modified only in a writing signed by the Parties. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Agreement or to the Arrangement Agreement. Any assignment of this Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement will be governed by California law, without regard to its choice of law provisions. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.
19.8.3 Minimum Requirements. The Parties agree that, in the event that any documentation of the Arrangement Agreement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information which are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information.
19.8.4 Notices. Except as otherwise specified herein, all notices, demands or communications required hereunder shall be in writing and delivered personally, or sent either by U.S. certified mail, postage prepaid return receipt requested, or by overnight delivery air courier (e.g., Federal Express) to the parties at their respective addresses set forth above in this Agreement and, for Intuit, with a copy to: Intuit Inc., Attention: General Counsel, Law Department, P.O. Box 7850, Mountain View, California 94039-7850. All such notices, requests, demands, or communications shall be deemed effective immediately upon receipt.
If you have questions regarding this Agreement or wish to obtain additional information, please send an e-mail to firstname.lastname@example.org.
© 2013 Intuit Inc. All rights reserved.