For purposes of the three sections of these Master Terms, (together the “Agreement”), DrFirst.com, Inc. shall be referred to as “DrFirst” and ________________ shall be referred to as “Company”. The “Effective Date” is the date of execution, as shown on the sales agreement (“Sales Agreement”).
Table of Contents:
I. Application Services Provider Agreement (Page 1)
II. Business Associate Agreement (Page 5)
III. Service License Agreement (Page 10)
I. APPLICATION SERVICES PROVIDER (ASP) TERMS OF AGREEMENT
1. LICENSE. Subject to the terms and conditions contained in this Agreement and on the Sales Agreement, DrFirst hereby grants to Company (i) a non-exclusive, non-transferable, right to access the features and functions of the Rcopia E-Prescribing and the EPCS Gold Applications during the Term of the License, solely through the listed Access Website; and (ii) a non-exclusive, non-transferable and non-sublicenseable license to make a reasonable number of copies of the Application Documentation solely for Company’s internal use in connection with access and use of the Application. Application Documents include written materials pertaining to the Application that DrFirst provides to the Company including but not limited to operating manuals, user guides, training course materials, computer-based training modules, software and Application specifications, and technical manuals.
2. TRAINING. DrFirst shall offer training of Company personnel who shall have access to the Rcopia and EPCS Gold Applications as needed.
3. BUSINESS ASSOCIATE AGREEMENT (BAA). Company and DrFirst shall sign a BAA as required by relevant law. The BAA shall be incorporated herein by reference.
5. TERM. The Term of this Agreement shall commence on the Effective Date and shall continue for a period of twelve (12) months thereafter (“Initial Term”). In absence of a compelling reason to terminate, the License shall automatically renew for successive one (1)-year periods, unless either Party provides notices of its desire not to renew not less than sixty (60) days prior to the end of the then current term.
6. PAYMENT AND TAXES. Company shall make initial payment in accordance with the Sales Agreement. Pricing and payment details for renewals will be made available to Company in a timely manner. Interest on any late payments will accrue monthly at the rate of one percent (1.5%) per month. All amounts payable hereunder shall exclude all applicable sales, use, and other taxes, and all applicable export and import fees, customs duties, and similar charges. Company will be responsible for payment of all such taxes (other than taxes based on DrFirst’s income), fees, duties and charges, and any related penalties and interest, arising from the payment of any fees hereunder, the grant of license rights in the Application to Company, or the delivery of related services. Company will make all payments required hereunder to DrFirst free and clear of, and without reduction for, any withholding taxes. Any such taxes imposed on any payments hereunder to DrFirst will be Company’s sole responsibility, and Company will provide DrFirst with official receipts issued by the appropriate taxing authority, or such other evidence as DrFirst may reasonably request, to establish that such taxes have been paid.
7. TERMINATION. After three months of non-payment, DrFirst may terminate the Agreement for cause and rescind access to the Rcopia and EPCS Gold Applications; such remedy shall be in addition to any and all other remedies available to DrFirst. DrFirst shall give Company at least fourteen (14) days written notice prior to rescinding access for non-payment. Except as provided above, in the event of a material breach of this Agreement by either party, the non-breaching party may terminate this Agreement thirty (30) days after breaching party’s receipt of written notice of breach and the breaching party has not cured or taken reasonable steps to cure the breach within such thirty (30) day notice period.
8. INTELLECTUAL PROPERTY. DrFirst retains all right, title, and interest in the Rcopia and EPCS Gold Applications, the Applications Documentation, the DrFirst Brand, the interface software, and all related materials, including all copies thereof in any form or medium, whether now known or existing or hereafter developed, and further including all copyrights, patents, trade secrets, trademarks or trade names therein. All goodwill arising in or from the DrFirst Brand shall inure solely to DrFirst’s benefit. Except to the extent granted herein, Company acquires no rights in any of the foregoing.
9. GENERAL USAGE RESTRICTIONS. Company shall not use the Rcopia Application for any purposes other than allowing its personnel to make electronic prescriptions, except with the prior written consent of DrFirst. Company will not (i) copy or duplicate the Application; (ii) decompile, disassemble, reverse engineer, or otherwise attempt to obtain or perceive the source code from which any component of the Application is compiled or interpreted,; (iii) modify the Application, the Application Documentation, or the DrFirst Brand, or create any derivative product from any of the foregoing, except with the prior written consent of DrFirst; (iv) act as a service bureau of the Application or otherwise run the Application for any-third party; or (v) except as contemplated hereunder and otherwise expressly permitted in this Agreement, assign, sublicense, sell, resell, lease, rent or otherwise transfer or convey, or pledge as security or otherwise encumber Company’s rights under the license granted by DrFirst. Company acknowledges that nothing in this Agreement will be construed to grant Company any right to obtain or use the source code from which any component of the Application is compiled or interpreted, and that this Agreement grants certain rights to access the Application, as hosted by DrFirst, but nothing herein may be construed to require delivery of a copy of the Application or to grant Company any right to obtain such a copy.
10. ACCOUNT INFORMATION. A unique user I.D. and password will be provided to each authorized end user. You are responsible for the addition of new users and the removal of inactive users.
11. HOSTING AND SERVICE LICENSE AGREEMENT (SLA) TERMS. DrFirst will undertake commercially reasonable measures to ensure that the operation and function of the Application and the Application Server are available to Company in accordance with DrFirst’s Standard SLA which will be made available to Company and incorporated herein by reference.
12. CONFIDENTIAL INFORMATION. The Parties acknowledge that during the performance of this Agreement, each Party will have access to certain of the other Party’s Confidential Information or Confidential Information of third parties that the disclosing Party is required to maintain as confidential. “Confidential Information” shall mean all written or oral information, disclosed by either Party to the other, related to the operations of either Party or a third party, whether or not identified or marked as confidential information that by the nature of the information or the circumstances surrounding disclosure ought reasonably to be treated as confidential. Confidential Information includes, without limitation, the specifications of the product licensed herein as well as any other proprietary information such as business plans, technical data, specifications, documentation, contracts, presentations, business methods, product functionality, services, data, customer information, competitive analysis, databases, formats, methodologies, applications, developments, inventions, processes, payment, designs, drawings, algorithms, formulas, trade secrets, or other information related to engineering, marketing, or finance. Both Parties agree that all items of Confidential Information are proprietary to the disclosing Party or such third party, as applicable, and shall remain the sole property of the disclosing Party or such third party. Each Party further agrees as follows: (i) to use the Confidential Information only for the purposes described herein; (ii) that such Party will not reproduce the Confidential Information and will hold in confidence and protect the Confidential Information from dissemination to, and use by, any third party; (iii) that neither Party will create any derivative work from Confidential Information disclosed to such Party by the other Party unless such work is contemplated by this Agreement; (iv) to restrict access to the Confidential Information to such of its personnel, agents, lawyers, accountants, and consultants, if any, who have a need to have access for purposes of performing such Party’s obligations hereunder and who have been advised to treat such information in accordance with the terms of this Agreement.
13. REPRESENTATIONS AND WARRANTIES. (a) Each Party hereby represents and warrants (i) that it is duly organized, validly existing, and in good standing under the laws of its jurisdiction of incorporation; (ii) that the execution and performance of this Agreement will not conflict with or violate any provision of any law having applicability to such Party; and (iii) that this Agreement, when executed and delivered, will constitute a valid and binding obligation of such Party and will be enforceable against such Party in accordance with its terms. (b) Company further represents and warrants (i) that it has the right to disclose and provide to DrFirst any data provided through use and access of the Application, and (ii) that Company’s use of and access to the Rcopia and EPCS Gold Applications comply with applicable laws and regulations, including, without limitation, any applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the rules and regulations promulgated thereunder. DrFirst represents and warrants that the EPCS Gold™ platform is and shall be in compliance with the relevant provisions of the Drug Enforcement Agency’s Electronic Prescriptions of Controlled Substances Final Rule as codified in 21 CFR Parts 1300, 1304, 1306, and 1311 (the “DEA Regulations”). Company acknowledges and agrees that it shall be responsible for obtaining any third party approvals, certifications or other evidence of compliance with the relevant provisions the DEA Regulations if necessary or applicable.
14. INDEMNIFICATION. DrFirst shall defend, indemnify and hold harmless Company, its directors, officers, employees and agents from and against any claims, actions, suits, losses damages, fines, liabilities, judgments, costs and expenses arising out of or relating to claims brought by third parties that the Application infringes or misappropriates the patent, copyright, trademark or trade secret of other intellectual property rights of such party. The Parties agree to hold harmless, indemnify, and, defend each other from and against any losses, liabilities, costs (including reasonable attorneys’ fees) or damages resulting from: (i) misuse of data in violation of Section 13; and (ii) any breach of Confidentiality obligations as contemplated by Section 12 of this Agreement, provided that indemnifying party will not settle any third-party claim against indemnitee unless such settlement completely and forever releases indemnitee from all liability with respect to such claim or unless indemnitee consents to such settlement, and further provided that indemnitee will have the right, at its option, to defend itself against any such claim or to participate in the defense thereof by counsel of its own choice.
15. DISCLAIMER. EXCEPT AS EXPRESSLY SET FORTH HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DRFIRST DISCLAIMS ANY AND ALL PROMISES, REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, DATA ACCURACY, TITLE, AND NON-INFRINGEMENT. DRFIRST DOES NOT WARRANT THAT THE APPLICATION WILL MEET COMPANY’S REQUIREMENTS OR THAT THE OPERATION OF THE APPLICATION WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL ERRORS WILL BE CORRECTED. Further, it is expressly acknowledged that the Applications rely on a third party data feed and that DrFirst has no control over the accuracy of such data. Accordingly, DrFirst shall have no responsibility or liability for the accuracy of any data delivered under the Application, unless it can be shown that DrFirst altered the substance of the data in the data feed in a material way. Further, it is understood that some of the data in the data feed may be subject to state and federal laws and regulations, including the Health Insurance Portability and Accountability Act (“HIPAA”) as well as the Health Information Technology for Clinical and Economic Health Act (“HITECH”), and Company agrees to comply with all such laws and regulations governing its use of the data.
16. LIMITATIONS AND EXCLUSIONS OF LIABILITY. EXCEPT WITH RESPECT TO GROSS NEGLIGENCE OR INTENTIONALLY HARMFUL ACTS, IN NO EVENT WILL DRFIRST BE LIABLE TO COMPANY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, COSTS OF DELAY, ANY FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR DOCUMENTATION, OR LIABILITIES TO THIRD PARTIES ARISING FROM ANY SOURCE, EVEN IF DRFIRST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION UPON DAMAGES AND CLAIMS IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. THE CUMULATIVE LIABILITY OF DRFIRST TO COMPANY FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY, WILL NOT EXCEED THE TOTAL AMOUNT OF ALL LICENSE FEES PAID TO DRFIRST BY COMPANY DURING THE TWELVE (12)-MONTH PERIOD PRIOR TO THE ACT, OMISSION, OR EVENT GIVING RISE TO SUCH LIABILITY. THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. Company acknowledges and understands that the disclaimers and limitations of liability set forth in these terms form an essential basis of the agreement between the Parties, that the Parties have relied upon such disclaimers and limitations of liability in negotiating the terms and conditions in this Agreement, and that absent such disclaimers, exclusions and limitations of liability, the terms and conditions of this Agreement would be substantially different. DrFirst expressly disclaims any liability for any damages or costs occurring as a result of Company’s failure to obtain and/or maintain any necessary approvals or certifications required by the relevant provisions of the DEA Regulations.
17. MISCELLANEOUS. If any provision of this Agreement is invalid or unenforceable for any reason in any jurisdiction, such provision shall be construed to have been adjusted to the minimum extent necessary to cure such invalidity or unenforceability. The invalidity or unenforceability of one or more of the provisions contained in this Agreement shall not have the effect of rendering any such provision invalid or unenforceable in any other case, circumstance, or jurisdiction, or of rendering any other provisions of this Agreement invalid or unenforceable whatsoever. No waiver under this Agreement shall be valid or binding unless set forth in writing and duly executed by the Party against whom enforcement of such waiver is sought. Any such waiver shall constitute a waiver only with respect to the specific matter described therein and shall in no way impair the rights of the Party granting such waiver in any other respect or at any other time. Any delay or forbearance by either Party in exercising any right hereunder shall not be deemed a waiver of that right. This agreement shall be governed in accordance with the laws of the State of Maryland, without regard to conflicts of law principles thereof or to the United Nations Convention on the International Sale of Goods. For purposes of all claims brought under this agreement, each of the parties hereby irrevocably submits to the non-exclusive jurisdiction of the state courts of the State of Maryland. Under no circumstances, shall this agreement or a part thereof be subject to the Uniform Computer Information Transaction Act. All U.S. Government authorized users acquire the Application and the Application Documentation with only those rights set forth therein.
18. OBLIGATIONS OF DRFIRST FOR THE EPCS GOLD APPLICATION.
18.1 DrFirst agrees to provide the EPCS Gold™ Services as an additional product and services offering which integrates with Company Software to allow users of the Integrated Offering to register, identity-proof and enable for EPCS Gold, as well as sign and forward prescriptions for controlled substances electronically.
18.2 DrFirst shall provide distribution of the hard token on behalf of Company.
18.3 DrFirst shall provide Web based training tools and Tier 2 support the EPCS Gold Platform.
19. ADDITIONAL OBLIGATIONS OF COMPANY FOR THE EPCS GOLD APPLICATION.
19.1 Company shall provide Tier 1 support service for the EPCS Gold™ Services.
19.2 Company shall be required to pass a DrFirst certification for the EPCS Gold™ service prior to the Rcopia Engine Service being made generally available within the integrated offering in the production environment. DrFirst will schedule the EPCS Gold™ Certification with Company to perform a checklist of procedures to confirm that transactions between the integrated offering and the EPCS Gold™ Platform and general functionality are working properly.
20. TOKEN WARRANTY AND IDP MANAGEMENT FEE.
20.1 TOKEN WARRANTY
A complimentary token shall be provided by DrFirst for each license purchased. A free replacement token shall be furnished for any reason within the first three months of issuance. No warranties exist for the token after 3 months of issuance.
20.2 IDP MANAGEMENT.
20.2.1 Fee: $25; this fee includes the cost of identity proofing services, replacement and switching services related to Token Management.
20.2.2 In the event a token is lost, stolen or damaged and a secondary back-up token (hard or soft) is not registered to the End User’s EPCS account, the End User must undergo the identity-proofing process again and must pay a token management replacement fee regardless of whether or not the replacement token was issued by DrFirst.
[End of ASP Terms of Agreement]
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made and entered into as of the Effective Date by and between DrFirst.com, Inc. (the “Business Associate,” as further defined below), whose address is 9420 Key West Avenue, Suite 101, Rockville, MD 20850 and _______________, (the “Covered Entity,” as further defined below) (collectively, the “Parties”).
WHEREAS, Company, as defined in the above Application Services Provider Agreement (ASP) is a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and DrFirst.com, Inc. is a “Business Associate” as defined under HIPAA;
WHEREAS, in connection with the above Application Services Provider Agreement entered into between Business Associate and Covered Entity to provide certain services to or on behalf of Covered Entity (“Service Agreement”), Covered Entity may provide Business Associate with Protected Health Information or may require Business Associate to create, use, maintain, or transmit Protected Health Information on behalf of Covered Entity;
WHEREAS, the Parties enter into this Agreement for the purpose of ensuring compliance with HIPAA and relevant implementing regulations, including the Privacy Rule (defined below), the Security Rule (defined below), and the Breach Notification Rule (defined below);
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
II. DEFINITIONS AND INTERPRETATION
2.1 Definitions Generally.
2.1.1 “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
2.1.2 “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
2.1.3 “Electronic Protected Health Information” or (“EPHI”) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2.1.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
2.1.5 “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2.1.6 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
2.1.7 Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
2.2 Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations or any binding interpretation thereof, said conflict will be resolved in favor of the regulations. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.
2.3 State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.
2.4 Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.
III. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE
3.1 Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI received by the Business Associate as necessary to perform functions, activities or services for or on behalf of the Covered Entity as specified in the Service Agreement and including but not limited to:
3.1.1 Facilitating the processing of administrative, clinical and financial healthcare transactions;
3.1.2 Treatment of patients of the Covered Entity;
3.1.3 Establishing and maintaining Business Management Programs;
3.2 Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.
3.3 De-Identification. The Business Associate may de-identify PHI received or created pursuant to the Service Agreement consistent with 45 C.F.R. § 164.514.
3.4 Other Permitted Uses. The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.
3.5 Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if:
3.5.1 Required By Law; and/or
3.5.2 Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.
3.6 Report Violations of Law. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
IV. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
4.1 Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement
4.2 Safeguards Against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
4.3 Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
4.4 Agreements With Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.
4.5 Obligations on Behalf of the Covered Entity. To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
4.6 Access to PHI. The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual or a third party designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
4.7 Amendment of PHI. The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity (or an Individual as directed by the Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designed by the Covered Entity. If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.
4.8 Accounting of Disclosures.
4.8.1 The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
4.8.2 The Business Associate shall provide to Covered Entity information collected in accordance with Section 4.8.1 of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.
4.9 Retention of Protected Health Information. Notwithstanding Section 8.3 of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section 4.8.1 of this Agreement for a period of six (6) years after termination of the Service Agreement.
4.10 Minimum Necessary. The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
4.11 Availability of Information. The Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.
V. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
5.1 Compliance with the Security Rule. The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
5.2 Subcontractors. The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.
5.3 Security Incident/Breach Notification Reporting. The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.
VI. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
6.1 Notification Requirement. To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach in accordance with the Breach Notification Rule.
6.2 Content of Notification. Any notice referenced above in Section 6.1 of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.
VII. OBLIGATIONS OF THE COVERED ENTITY
7.1 Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
7.2 Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
7.3 Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
7.4 Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.
VIII. TERM AND TERMINATION
8.1 Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity; or in the event that it is not feasible to return or destroy said PHI, protections are extended to such information with the termination provisions herein provided or as permissible by the applicable Regulations.
8.2 Termination for Cause. Upon the Covered Entity’s knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.
8.3 Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. In the event that the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.
8.4 Retention of Certain Information. The Business Associate shall retain no copies of the aforementioned PHI; however, the Covered Entity understands and agrees that information relating to individual prescription transactions submitted by use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.
8.5 INDEMNIFICATION. In the event that there is a breach of privacy with respect to PHI under this BAA, the party causing the breach will indemnify the other party and its officers and directors for all actual damages, costs and attorneys’ fees caused by the breach, including but not limited to the actual costs of providing patient notice as a result of the breach
9.1 Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.
9.2 Amendments. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.
9.3 Survival. The respective rights and obligations of Business Associate under Article VI of this Agreement shall survive the termination of this Agreement.
9.4 Entire Agreement. This Agreement is the entire agreement between the Parties with regard to its subject matter and shall supersede any prior agreements.
II. DRFIRST RCOPIA STANDARD SERVICE LEVEL AGREEMENT (SLA)
1. SYSTEM AVAILABILITY.
1.1 Access to DrFirst Servers. DrFirst will ensure that the DrFirst servers are available for use by Company or Company’s authorized end-user twenty-four (24) hours a day, seven (7) days per week. DrFirst servers will be available to Company or Company’s authorized end-user ninety-nine and ninety one hundredths percent (99.90%) of the time on an annual basis, excluding planned downtime for routine maintenance. Notwithstanding the foregoing, in no event shall unplanned downtime exceed one (1) hour per month or twelve (12) hours annually. DrFirst will monitor and report downtime on DrFirst servers and system availability report will be available upon request. Routine maintenance will be performed outside of normal business hours and will not exceed eight (8) hours per month without prior notification to Company or Company’s authorized end-user. The lack of key functionality for Company’s end-user (e.g., access to patient medication information, creating a new prescription, renewing an existing prescription) shall be considered unscheduled downtime.
1.2 Access to connections to Prescription Benefit Managers (“PBMs”) and Retail Pharmacies. DrFirst will ensure that the connections to PBMs and to retail pharmacies will be available for use by Company’s authorized end-user twenty-four (24) hours a day, seven (7) days per week. These connections will be available to Company’s authorized end-user ninety-eight percent (98%) of the time on an annual basis, excluding planned downtime for routine maintenance. Routine maintenance will be performed outside of normal business hours and will not exceed twenty (20) hours per month without prior notification to Company or Company’s end-user. In the event any third party provider of electronic transmission of prescription services to DrFirst is down, DrFirst will reroute prescriptions through the Fax Service. DrFirst shall ensure that, from the Company or Company’s end-user point of view, the failover to the Fax Service will be essentially transparent.
2. RESPONSE TIME. “Response Time” means the time elapsed between a request for a web page being received by the DrFirst servers and returning that web page. Response Time excludes any of the following: network or Internet latency; patient database queries; PBM queries including medication history and patient eligibility information; report writer queries; and pharmacy searches. DrFirst shall maintain a Response Time of two and one half (2.5) seconds or less between the hours of 7:00, a.m., and 8:00, p.m., EST, and any time in excess of the 2.5 seconds period shall be defined as “Response Time Failure.” For PBM queries including medication history and patient eligibility, DrFirst shall maintain a Response Time of five and one half (5.5) seconds or less between the hours of 7:00, a.m., and 8:00, p.m., EST, and any time in excess of the 5.5 seconds period shall be defined as “Response Time Failure.”
3.1 First Level Support. DrFirst shall provide to Company and Company’s authorized end-user adequate First Level Support documentation and user guides. “First Level Support” means responding to and solving basic end-user problems relating to Application Services. First Level Support consists of the following:
3.1.1 responding to questions from the Company or Company’s authorized end-user regarding Application Documentation; responding to questions from the Company or Company’s authorized end-user regarding the Application Services;
3.1.2 diagnosis of failures;
3.1.3 determining if the failure is the result of a configuration problem;
3.1.4 determining if the failure is the result of user error;
3.1.5 confirming that the failure is caused by the Application;
3.1.6 determining if a problem is a known problem;
3.1.7 using every reasonable effort to reproduce the reported problem; and
3.1.8 making available bug fixes and Updates received from DrFirst to Company or Company’s authorized end-user.
3.1.9 Notwithstanding the foregoing, where there is any Company-reported issue related to the Application, DrFirst will cooperate with Company and with the Company’s authorized end-user in the diagnosis and resolution of such issue.
3.2 Second Level Support. DrFirst shall maintain Second Level Support (as described below) to Company and Company’s authorized end-user of the Application. “Second Level Support” means responding to and solving significant Company and Company’s authorized end-user problems relating to the Application Services that cannot be resolved under First Level Support, such as bug fixes, Updates and other serious performance issues relating to the Application Services, and recommending and distributing such fixes and methods to restore operations to the Company’s end-user system. DrFirst will provide telephone support twenty-four (24) hours/ seven (7) days per week. Company or Company’s authorized end-user may access DrFirst telephone support by calling the DrFirst toll-free telephone line.
DrFirst will provide “live” telephone support twenty-four hours a day, seven days a week. Only authorized end-user of the Company support organization trained in the Applications will call DrFirst for support issues. Company may bypass the normal procedures if it is deemed by Company or Company’s authorized end-user that the support issue is urgent.
3.3 Escalation. System anomaly reporting –Company’s and staff or Company authorized end-user may report issues/problems with the Applications at any time by clicking on the “Contact Us” link at the top of Rcopia screen. Alternatively, Company’s authorized end-user may, after proper registration of its primary contact email account with DrFirst, submit issues in writing (email) to support@DrFirst.com by the authorized contact. DrFirst shall prioritize anomaly repair above all other development work.
3.3.1 System Severity Level 1. In the event that Company or Company’s authorized end-user determines that an anomaly materially effects the operation of the Application, DrFirst will respond to the issue report within one (1) hour during normal business hours, and within two (2) hours outside of normal business hours, and DrFirst will use best efforts to repair and install a patch promptly. For purposes of this Exhibit, material anomalies are defects that prevent Company’s authorized end-user from sending or receiving prescriptions or where business operations cannot reasonably continue (including, but not limited to, a situation where the DrFirst Server is not responding).
3.3.2 System Severity Level 2. For anomalies that are less urgent where an impairment may be circumvented, DrFirst will respond to Company or Company end-user within one (1) business day whether or not the issue reported constitutes an item that requires repair. If DrFirst determines that the reported anomaly is an anomaly that needs to be repaired, DrFirst will also communicate the time in which it reasonably believes the repair will be implemented into system, which timeframe shall be no longer than five (5) days. If in the opinion of DrFirst, DrFirst does not believe that the anomaly reported requires repair, DrFirst will respond with an explanation and approach to alleviate the issue to Company or Company end-user within two (2) business days.
3.4 Updates. As part of any Updates provided by DrFirst to Company, DrFirst will provide Company with technical support personnel at no additional charge up to one (1) hours of live support to cover topics relating to the Updates, such as enhancements, errata, procedure changes as it relates to installation or maintenance and other related information exchange. The live support process shall consist of teleconferences or webcasts and associated presentation materials, and will be conducted between DrFirst and Company technical support personnel at a mutually agreed upon time.