TERMS AND CONDITIONS FOR DRFIRST MYBENEFITCHECK ENROLLMENT AGREEMENTS

EPIC myBenefitCheck Enrollment - Terms and Conditions

TERMS AND CONDITIONS
FOR DRFIRST MYBENFITCHECK EPIC ENROLLMENT AGREEMENTS

Applicability. These Terms and Conditions (“Terms”) apply to all.DrFirst MyBenefitCheck Epic Enrollment Agreements (each, an “Enrollment Agreement”).

1. Definitions

a. “Authorized End User” means any individual accessing mBC pursuant to an Enrollment Agreement.
b. “Claim” means any claim, demand, action, suit, or proceeding, and all liability, losses, judgments, damages, settlements and costs arising out of or relating to the same (including reasonable attorneys’ fees) whether based on breach of contract or warranty, tort including negligence, statute, or other legal or equitable theory.
c. “Company Software” means the Epic System Corporation (“Epic”) electronic medical record or health information system software licensed and utilized by Company.
d. “DrFirst End Point” means the DrFirst URL service communication channel for the Integration.
e. “Epic RTPB” means the Epic Real Time Prescription Benefits functionality in the Company Software.
f. “Go-Live” means the initiation of myBenefitCheck inquiry transaction in the production environment within the Epic RTPB function of the Company Software.
g. “Integration” means the integration of DrFirst’s myBenefitCheck services with the Epic RTPB function of the Company Software via the Specifications and the DrFirst End Point.
h. “myBenefitCheck” or “mBC” means DrFirst’s services which enables real time price transparency and coverage information.
i. “Specifications” means the Epic toolkit, Outgoing Real Time Prescription Benefit Inquiry and Response Interface, for interfacing Epic applications with external real time benefit check solutions, such as myBenefitCheck.

2. Company Obligations. Company shall be responsible for: (i) granting and revoking access to mBC through the Company Software; (ii) obtaining any and all consents or authorizations from patients necessary to use mBC; and (iii) ensuring that Company’s use of mBC complies with applicable laws and regulations. Additionally, Company will assist in the deployment, verification & rollout of mBC in their domains within the Epic RTPB service and follow the Implementation Guidelines referenced in the Enrollment Agreement. Finally, Company represents and warrants that it has a license from Epic to use and access the Company Software, and that such license permits the integration of mBC into the Epic RTPB service as contemplated in the Enrollment Agreement these Terms, and the Integration Guidelines.

3. Grant of License; Ownership of Software, Products and Intellectual Property. DrFirst grants to Company a limited, non-exclusive, non-transferable, revocable license to access and use mBC solely through the Integration with the Company Software. Except for the limited rights expressly granted to Company in these Terms, neither Company nor any Authorized End Users has any license, interest, or right of any kind in mBC. rFirst retains sole and exclusive rights to the DrFirst brand, mBC, and any associated code or software, including interface software, all related materials, and all copies thereof in any form or medium, whether now known or existing or hereafter developed, and including all copyrights, patents, trade secrets, trademarks, trade names and intellectual property rights associated therewith. All goodwill arising in or from the DrFirst brand shall inure solely to DrFirst’s benefit. Company shall not: (i) attempt to de-compile, reverse assemble, reverse engineer, or attempt to gain access to the source code of any software furnished by DrFirst; (ii) import, add, modify or create derivative works of any such software or user materials; (iii) delete data in any such software database by any method other than direct data entry through the application, or through a DrFirst developed interface; or (iv) remove any proprietary notices, labels, or marks from any software or user materials provided by DrFirst. The software, user materials, and other rights granted herein may not be transferred, leased, assigned, or sublicensed without DrFirst’s prior written consent, except to a successor in interest of Company’s entire business who assumes all of the obligations of these Terms. In the event of any unauthorized transfer, Company’s rights under this Agreement shall automatically terminate.

4. Confidentiality. The Parties acknowledge that during the performance of this Agreement, each party may have access to certain of the other Party’s confidential information or confidential information of third parties that the disclosing party is required to maintain as confidential (“Confidential Information”). Both parties agree that all items of Confidential Information are proprietary to the disclosing party or such third party, as applicable, and shall remain the sole property of the disclosing party or such third party. Each party receiving Confidential Information from the other party agrees as follows: (i) that such receiving party shall use the Confidential Information only for performance of the Enrollment Agreement; (ii) that such party will not reproduce the Confidential Information except as minimally necessary to use for performance hereunder and will hold in confidence and protect the Confidential Information from dissemination to, and use by, any third party; (iii) that such party shall not create any derivative work from Confidential Information disclosed to said party by the other party; (iv) that such party shall restrict access to the Confidential Information to such of its personnel, agents, and/or consultants, if any, who have a need to have access for purposes of performing that party’s obligations hereunder; and (v) that such party shall return or destroy all Confidential Information disclosed by the other party in its possession upon termination or expiration of the Enrollment Agreement. For clarity, Company may not disclose any Confidential Information of DrFirst or data received via mBC, including but not limited to any documentation or materials owned by DrFirst, to Epic.

5. Data Handling. DrFirst may de-identify any and all protected health information and other data provided to it by Company. De-identified data may be used for any lawful purpose; provided, however, that the use does not identify Company or the Authorized End User, except for cases where an Authorized End User has selected a program which requires the ability to identify the Authorized End User.

6. Availability of Data Sources. Company acknowledges and agrees that any pharmacy benefits manager, plan, or other data source may opt out of participation in mBC at any time without prior notice to Company.

7. Warranties and Disclaimers. EXCEPT AS EXPRESSLY SET FORTH HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DRFIRST DISCLAIMS ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND/OR NON-INFRINGEMENT. DRFIRST DOES NOT WARRANT THAT THE APPLICATION WILL MEET COMPANY’S REQUIREMENTS OR THAT THE OPERATION OF THE APPLICATION WILL BE UNINTERRUPTED OR ERROR-FREE. COMPANY AGREES THAT DRFIRST IS NOT RESPONSIBLE FOR ACCURACY, COMPLETENESS, QUALITY, INTEGRITY, LEGALITY, RELIABILITY, OR APPROPRIATENESS OF DATA PROVIDED TO COMPANY. COMPANY WAIVES ANY CLAIMS AGAINST DRFIRST AND EPIC RELATED TO THE ACCURACY, COMPLETENESS, QUALITY, INTEGRITY, LEGALITY, RELIABILITY, AVAILABILITY, AND APPROPRIATENESS OF DATA PROVIDED TO COMPANY HEREUNDER.

8. LIMITATION OF LIABILITY. IN NO EVENT SHALL DRFIRST OR ANY OF ITS LICENSORS, AGENTS OR REPRESENTATIVES BE LIABLE TO COMPANY OR ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, LOST PROFITS, BUSINESS INTERRUPTION, EVEN IF DRFIRST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL DRFIRST BE LIABLE TO COMPANY ON ACCOUNT OF ANY LOSS OR CLAIM CAUSED BY THE FAILURE OF COMPANY OR ANY OF YOUR EMPLOYEES, AGENTS, PROVIDERS OR REPRESENTATIVES TO PERFORM ANY OF YOUR/THEIR OBLIGATIONS UNDER THIS AGREEMENT. THE CUMULATIVE LIABILITY OF DRFIRST TO COMPANY FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY, WILL NOT EXCEED THE TOTAL AMOUNT OF ALL LICENSE FEES PAID TO DRFIRST BY COMPANY DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE ACT, OMISSION OR EVENT GIVING RISE TO SUCH LIABILITY.

9. Indemnification. Company shall defend, indemnify and hold harmless DrFirst against all Claims of any kind of nature arising out of or resulting from Company or Company’s Authorized End Users (i) misuse of or unauthorized disclosure of or access to, protected health information; (ii) any material breach of the Terms, Enrollment Agreement, BAA, or Implementation Guidelines; (iii)) use of or inability to use the Epic RTPB, the Integration, the Specifications, or any data; or (iv) negligence, willful misconduct, or violation of any law or any use, access, disclosure, or possession of any data received in connection with the Integration.

10. Termination. Either party may terminate the Enrollment Agreement for a material breach of the Enrollment Agreement, these Terms, the BAA, or the Implementation Guidelines by the other party upon written notice, which breach is not cured within thirty (30) days after written notice by the non-breaching party setting forth, in reasonable detail those terms and conditions which have been breached. Furthermore this Agreement may be terminated by either Party immediately upon written notice of Termination in the event that one party makes a general assignment for the benefit of creditors, or files voluntary petition in bankruptcy or for reorganization or rearrangement under the bankruptcy laws, or if a petition in bankruptcy is filed against a party and is not dismissed within thirty (30) calendar days after the filing, or if a receiver or trustee is appointed for all or any part of property or assets of such other party.

11. Notices. Unless otherwise expressly provided herein, all notices or other communications shall be in writing and delivered either personally, via a nationally recognized overnight carrier, or by certified, return receipt requested, postage prepaid U.S. mail to the addresses set forth on the signature page of the Mobile Services Agreement. Either party may change its address by specifying such change in a written notice to the other. A copy of any notice directed to DrFirst at the address on the Mobile Services Agreement shall be sent to the attention of the DrFirst.com, Inc, Legal Department, 9420 Key West Avenue, Suite 101, Rockville, MD 20850, with a courtesy e-mail to: dfnotice@drfirst.com

12. Miscellaneous. Any attempt to add or alter the terms of this Agreement by a purchase order shall be null and void.
Except as provided otherwise herein, this Agreement may not be modified except by a writing signed by an authorized representative of both parties. A waiver by either party of its rights hereunder shall not be binding unless contained in a writing signed by an authorized representative of the party waiving its rights. The non-enforcement or waiver of any provision shall not constitute a waiver of such provision on any other occasion unless expressly so agreed in writing. This Agreement and all rights and obligations may not be assigned in whole or in part by either party without the prior written consent of the other, except in connection with a reorganization, merger, consolidation, acquisition, or restructuring involving all, or substantially all of the voting securities and/or assets of the assigning party. Neither party shall be liable for failure to perform any of its obligations hereunder if such failure is caused by an event outside its reasonable control, including, but not limited to, an act of God, shortage of materials, personnel or supplies, war, or natural disaster. If any provision of this Agreement is declared invalid by a court of competent jurisdiction, such provision shall be ineffective only to the extent of such invalidity, so that the remainder of that provision and all remaining provisions of this Agreement shall be valid and enforceable to the fullest extent permitted by applicable law. This agreement shall be governed by and interpreted in accordance with the laws of the state of Maryland, without regard to conflicts of law principles thereof or to the United Nations Convention on the International Sale of Goods. For purposes of all claims brought under this agreement, each of the parties hereby irrevocably submits to the non-exclusive jurisdiction of the state courts of the state of Maryland. Under no circumstances, shall this agreement or a part thereof be subject to the Uniform Computer Information Transaction Act. The parties recognize and agree that their obligations under Paragraphs 3,4, 5 and 6 of this Master Agreement shall survive the cancellation, termination or expiration of this Agreement.

 

BUSINESS ASSOCIATE AGREEMENT

I. APPLICABILITY

This Business Associate Agreement (“Agreement”) applies to all DrFirst MyBenefitCheck Epic Enrollment Agreements (referred to as the “Service Agreement”) pursuant to which DrFirst (“Business Associate”) receives PHI from a Covered Entity as a Business Associate as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”).

II. DEFINITIONS AND INTERPRETATION

2.1 Definitions Generally.
2.1.1 “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
2.1.2 “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
2.1.3 “Electronic Protected Health Information” or (“EPHI”) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2.1.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
2.1.5 “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2.1.6 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
2.1.7 Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
2.2 Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations (collectively, the “Regulations”) or any binding interpretation thereof, said conflict will be resolved in favor of the Regulations. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.
2.3 State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.
2.4 Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.

III. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE

3.1 Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI received by the Business Associate as necessary to perform functions, activities or services for or on behalf of the Covered Entity as specified in the Service Agreement and including but not limited to:
3.1.1 Facilitating the processing of administrative, clinical and financial healthcare transactions;
3.1.2 Treatment of patients of the Covered Entity;
3.1.3 Establishing and maintaining Business Management Programs;
3.2 Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.
3.3 De-Identification. The Business Associate may de-identify PHI received or created pursuant to the Service Agreement consistent with 45 C.F.R. § 164.514.
3.4 Other Permitted Uses. The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.
3.5 Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if:
3.5.1 Required By Law; and/or
3.5.2 Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.
3.6 Report Violations of Law. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

IV. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

4.1 Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement
4.2 Safeguards Against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
4.3 Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
4.4 Agreements With Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.
4.5 Obligations on Behalf of the Covered Entity. To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
4.6 Access to PHI. The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual or a third party designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
4.7 Amendment of PHI. The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity (or an Individual as directed by the Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designed by the Covered Entity. If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.
4.8 Accounting of Disclosures.
4.8.1 The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
4.8.2 The Business Associate shall provide to Covered Entity information collected in accordance with Section 4.8.1 of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.
4.9 Retention of Protected Health Information. Notwithstanding Section 8.3 of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section 4.8.1 of this Agreement for a period of six (6) years after termination of the Service Agreement.
4.10 Minimum Necessary. The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
4.11 Availability of Information. The Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.

V. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

5.1 Compliance with the Security Rule. The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
5.2 Subcontractors. The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.
5.3 Security Incident/Breach Notification Reporting. The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.

VI. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

6.1 Notification Requirement. To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach.
6.2 Content of Notification. Any notice referenced above in Section 6.1 of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.

VII. OBLIGATIONS OF THE COVERED ENTITY

7.1 Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
7.2 Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
7.3 Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
7.4 Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.

VIII. TERM AND TERMINATION

8.1 Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity; or in the event that it is not feasible to return or destroy said PHI, protections are extended to such information with the termination provisions herein provided or as permissible by the applicable Regulations.
8.2 Termination for Cause. Upon the Covered Entity’s knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.
8.3 Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. In the event that the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.
8.4 Retention of Certain Information. The Business Associate shall retain no copies of the aforementioned PHI; however, the Covered Entity understands and agrees that information relating to individual prescription transactions submitted by use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.

IX. MISCELLANEOUS

9.1 Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.
9.2 Amendments. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.
9.3 Survival. The respective rights and obligations of Business Associate under Article VI of this Agreement shall survive the termination of this Agreement.
9.4 Entire Agreement. This Agreement is the entire agreement between the Parties with regard to its subject matter and shall supersede any prior agreements.

IMPLEMENTATION GUIDELINES

I. DEFINITIONS:

A. “Member” means an individual or patient for whom Company is seeking a response transaction from DrFirst.
B. “Prescriber(s)” means health care providers licensed to prescribe medications in conjunction with a then-current treatment relationship with the Member.

Capitalized terms not defined in the Implementation Guidelines have the same meaning as set forth in the Terms. In the event of a conflict between this Terms and the Implementation Guidelines, the Implementation Guidelines will control.

II. OVERVIEW:

These Implementation Guidelines outlines the engineering and project management resources required to develop the DrFirst myBenefitCheck integration in Epic RTPB and is intended to be utilized along with the myBenefitCheck Product Addendum (“Addendum”).
The overall purpose of this Implementation Guidelines is to interface the Company Software with mBC and allow Company to utilize the myBenefitCheck triggers for real time price transparency and coverage information in the Company Epic RTPB service. Through the interface of the Company Platform and mBC, the Member information will be transmitted to myBenefitCheck and Company will receive Member benefits information. Company will then communicate benefits information to the Member or Prescriber.

III. PROJECT COMPLETION CRITERIA.
The integration project, as defined in the scope, will be considered complete when the application meets the Implementation Guidelines scope details, all certification test cases have been completed in a non-production environment, and when a user in a production environment can:

A. Initiate the DrFirst myBenefitCheck request within the defined workflow;
B. Receive the myBenefitCheck Response;
C. Display the coverage determination(s), pricing, and alternate therapy information;
In addition to a user being able to perform the above functions, the project is deemed complete when the below project items have occurred;
D. Go-Live issues are resolved, or an enhancement is planned; and
E. Management of the Company relationship has transitioned to a DrFirst Account Manager as the primary point of contact.

IV. COMPANY RESPONSIBILITIES

a. Resourcing and Communications

i. Company will provide a project management resource (“Project Manager”), of the appropriate level of experience required by the project, that will be available to DrFirst as necessary to support the effective execution of these Implementation Guidelines and will be available for the duration and successful completion of this project.
ii. Company will provide resources that will be available to DrFirst as necessary to support the effective completion of the Integration outlined in these Implementation Guidelines for the duration of the project.
iii. Company will provide the contact information for the Project Manager and resources prior to the project kick off call.
iv. Company will provide necessary quality assurance and testing resources to DrFirst to complete necessary testing to validate proper functionality and operation of the Integration.
v. All technical issues must be submitted via DrFirst’s service desk process. A service desk document will be provided to Company by DrFirst’s integration project lead.
vi. Company will provide ongoing feedback for the Implementation Guidelines deliverables and activities in a weekly implementation call and subsequent monthly touch base with your account manager.
vii. Company will validate in production and provide DrFirst five (5) business days prior notice of nonconformance with acceptance testing criteria.
viii. Company agrees to train all providers and staff who wish to use the DrFirst mBC integration in Epic RTPB. DrFirst and Company understands that DrFirst will provide “train the trainer” training for the DrFirst mBC integration.
ix. Company warrants that it will not transmit any information where it is known to Company that such information was transmitted to Company without proper patient and/or provider consent.

b. Infrastructure and Network Access

i. Company will procure/configure any hardware and/or software necessary to integrate with mBC. All associated installation and setup will be handled solely by the Company’s team and completed prior to project commencement to avoid schedule delays.
ii. Company will provide DrFirst and its subcontractors timely access to their server/network.
iii. Company shall provide training and education to DrFirst and regarding its existing workflows and the utilization of the system.
iv. Company shall provide DrFirst access to the following Company Data for each Transaction:
Member demographic information
Prescription information
Member eligibility information
v. Company will provide additional data elements to be set forth in the Specifications. Company agrees to provide any additional data elements necessary to provide the services upon mutual written agreement between the Parties (for which e-mail shall suffice).
vi. Within ten (10) business days of integrating mBC, Company is required to notify DrFirst and provide a live walkthrough, which may be conducted via a videoconference such as a Webex, of the display of the mBC content within the Company Software. In the event, that the use of the mBC content substantially changes, Company shall notify DrFirst in writing of any such changes and provide DrFirst with a similar live walkthrough.

V. DRFIRST RESPONSIBILITIES

A. DrFirst will deliver technical documentation as required to complete the interface and/or integration to achieve functionality of the service as specified in the scope.
B. Hosting of the Application Server:

i. DrFirst shall, at its own expense, maintain mBC on one or more of its own network computer servers (any such servers, collectively, the “Application Server”). DrFirst shall bear sole responsibility for the operation and maintenance of the Application Server hardware, its operating system and/or its platform software, and any third-party application software associated with, or necessary for, the operation and functioning of the Application Server, including functions associated with access to the Integration in accordance with this Implementation Guidelines.
ii. mBC will not be located on a Company server at any time and the Application Server shall always remain the responsibility of DrFirst, provided that DrFirst shall be permitted to enter into an arrangement with one or more third parties for the performance of DrFirst’s obligations, whereby any such third party may install mBC, own, operate or maintain the Application Server, or undertake to manage the Application Server with respect to access to the Offering, provided that DrFirst shall ensure that any such third party shall be contractually bound to provide substantially the same level of protection with respect to Company’s Confidential Information as is provided by the terms of the MSA.

C. Support and Training:

i. DrFirst will provide support to Company personnel directly. For the sake of clarity, Company Authorized Users shall not contact DrFirst directly for technical support. Requests for DrFirst technical support shall be routed through Company.

D. Integration.

i. DrFirst agrees that all responses to transactions submitted by Company will be complete with all mandatory fields as set forth in the Specifications. All data fields provided by the payer/pbm data source and other information shall be provided as specified in the documentation provided in the Specifications.
ii. DrFirst agrees to support a DrFirst End Point for an interface that will allow two-way, real-time communication and population of mBC data fields with inputs from Company’s Platform.

VI. DRFIRST INTEGRATION RESOURCE AND ROLES

The DrFirst Integration project team is comprised of the below resources:

A. Project Manager (PM) – Responsible for managing the project initiation, planning, execution and monitoring, starting with the kick-off call through the transition to operations after the project has closed. The Project Manager is the single point of contact for all communications, coordination of activities between resources, deliverables, and status reporting related to the project during the project lifecycle.
B. Account Manager (AM) – Acts a project resource for providing operational support throughout the project lifecycle and transitions to the primary point of contact for the Company ongoing after the project is closed.

VII. PROJECT CHANGE REQUEST PROCESS

The Project Change Request Process will be used to manage change requests in the event that the Company requires changes or additional work to the original scope.
Either Company or DrFirst may initiate a Project Change Request (PCR). A PCR may be requested for, but is not limited to any of the following reasons:
A. A modification, addition or deletion is required in the project requirements;
B. A required task is not identified during one of the project phases;
C. A task identified during one of the project phases has changed or is no longer required;
D. Modifications are required to the project scope, schedule or implementation plan.
All PCRs will be submitted in writing or e-mail. Each PCR will specify the nature of the change requested, the reason for the change and any subsequent impact to schedules, deliverables and cost. PCRs will not be implemented until agreed to in writing by both the Company and DrFirst Project Manager. PCRs communicated via telephone will be followed by a written request or confirmation. PCRs may affect the scope or schedule of the project and may require that the Company install an upgrade or newer release at a later time.

VIII. COMMON PROJECT ACTIVITES AND MILESTONES

This section covers the role played by each company’s teams during the integration process along with the typical timeline for each. It is important that the DrFirst team can include the necessary resources at various stages to avoid integration delays.

# Milestone DrFirst Resources Company Resources Typical Timeline ResponsibleParty
1.0 Kick-Off Call PM, Sales, AM PM, Executive Sponsor, Technical Resources, Designated Super Users and Admins Within 5 days following effective date of agreement. DrFirst
2.0 Project Planning Phase PM, AM, Sales PM, Executive Sponsor, Designated Super Users and Admins Within 30 days of Kick Off Call Company, DrFirst
3.0 Requirements and Design Phase PM, AM, Sales PM, Executive Sponsor, Technical Resources, Designated Super Users and Admins Within 30 days of completion of the Project Plan. Company, DrFirst
4.0 Configuration and Testing Phase PM, DF Integration Services, Software Engineers PM, Technical Resources Testing phase dependent on mBC integration completion. Company
5.0 Certification Phase PM, AM PM, AM, Technical Resources Certification phase prior to go live. Company, DrFirst
6.0 Go-Live PM, DrFirst Integration Services, Software Engineers, Sales PM, Technical Resources Agreed upon time frame Company, DrFirst
7.0 Support and Optimization PM, AM PM, Executive Sponsor, Designated Super Users and Admins Daily touch-bases as needed for 1 week after GL with successful transition to your account manager Company, DrFirst

IX. ACTIVITIES AND MILESTONES DESCRIPTIONS.

a. Kick-Off Call
The purpose of this call is to introduce resources involved in the project from both sides, introduce the project, demo the application, review the high-level project milestones / activities, and next steps. In addition, timing for scheduling a recurring weekly project call is established.
The Kick-Off Call should be scheduled within 5 business days following the effective date of the Agreement.
b. Project Planning Phase
Following the Kick-off Call, the DrFirst Account Manager and the Company Project Manager work together to vet out the integration timelines based on the Company’s integration plans and set a firm go-live date as a target to focus the execution of both teams. The parties agree to develop a mutually agreeable project plan (“Project Plan”) within thirty (30) days of the kick off call.
The Project Planning Phase call will be scheduled to ensure that both sides agree to the plan to properly execute the mBC integration in Epic RTPB service.
c. Requirements and Design Phase
The Requirement and Design phase is needed to ensure that the Specifications are properly being utilized as part of the Epic RTPB service to integrate mBC. The parties agree to meet to discuss and mutually agree to technical requirements, including the technical design associated with the project.
d. Configuration AND Testing Phase
The Configuration and Testing Phase is needed to ensure that the Company has configured the Integration to connect to all pharmacy benefit managers and other sources of benefit information supported by the mBC and the integration has been tested successfully. This phase is very dependent on both parties maintaining regular contact and quickly identifying and resolving any roadblocks that occur.
e. Certification Phase
Once testing in the staging environment is complete, DrFirst requires Company to successfully complete a DrFirst certification and/or user acceptance testing process prior to mBC services being made available in production environments for both beta and general availability.
f. Go-Live
Upon successful completion of the Certification Phase, Company may go-live the mBC service within their production environment in Company Platform.
g. Support and Optimization
DrFirst encourage that the Client contact us a week after go live to ensure that the production environment is working successful and handling any errors or training issues that may occur during the go live.

X. ADDITIONAL NOTES

A. mBC reporting under this Implementation Guidelines shall be mutually agreed upon in writing by the parties.
B. Enhancement requests or bug fixes are generally not counted towards billable time.