Mayo Clinic Platform
Subscription Terms of Service

These Subscription Terms of Service (the “Terms”) are a binding legal contract between you and the technology developer named in your Order Form (“Provider”). By accessing or using the Services, as defined below, you will be bound by the terms of these Terms. If you do not agree to the terms of these Terms, Provider is not willing to grant you any right to use or access the Services. If these Terms is being agreed to by a company or other legal entity, then the person agreeing to these Terms on behalf of that company or entity represents and warrants that he or she is authorized and lawfully able to bind that company or entity to these Terms. In that case, all references to “you” refer to your employer.

  1. Services
    1. You are authorized to access the software, hosting, and professional services provided by Provider (collectively, the “Services”) as further specified in the order form between You and Mayo Foundation for Medical Education and Research (“Mayo”) (the “Order Form”). The Services include any (i) web and other user interfaces, applications, and software made available by Provider to End Users (defined herein), (ii) the associated application programming interfaces, and (iii) any modifications, updates, derivative works, optional modules, custom or standard enhancements, updates, and upgrades to or of any of the foregoing.
    2. Subject to the terms and conditions of these Terms and the terms of the applicable Order Form, including your payment of all relevant fees under the Order Form, Provider grants you and your End Users a non-exclusive, non-transferable license to access and use the hosted services (the “Services”) solely for your own internal business purposes during the applicable Order Form term. To the extent Provider provides any software to you for installation on your systems for use in connection with the Services, the software will be included in the definition of Services and subject to the foregoing license. All software may only be used in support of your use of the Services and for no other purpose. For purposes of these Terms, “End Users” means your employees, contractors, and representatives who are authorized to access the Services on your behalf.
  2. Restrictions. You and your End Users may only use the Services as described in these Terms and in Provider’s then-current documentation for the Services made generally available to our customers (the “Documentation”). You are responsible for ensuring your End Users comply with all relevant terms of these Terms and any failure to comply will constitute a breach by you. Except as expressly authorized by these Terms, you will not, and will not allow any End User or other third party to: (a) permit any third party to access or use the Services other than an End User; (b) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code or underlying structure, ideas, know-how or algorithms relevant to the Services, except to the extent expressly permitted by applicable law; (c) use the Services or any Provider Confidential Information to develop a competing product or service; (d) adapt, alter, modify, improve, translate or create derivative works of the Services; (e) use any Service, or allow the transfer, transmission, export, or re-export of any Service or portion thereof, in violation of any laws or regulations, including export control laws or regulations administered by the U.S. Commerce Department or any other government agency; or (f) remove any copyright, trademark, proprietary rights, disclaimer, or warning notice included on or embedded in any part of the Documentation and Service, including any screen displays, etc., or any other products or materials provided by Provider hereunder.
  3. Information Security. Consistent with any law or regulation applicable to the Services and Provider’s then-current practices and procedures, Provider will maintain and enforce administrative, technical, and physical safeguards to reasonably protect the confidentiality, availability, and integrity of your Confidential Information and Your Data, as defined below. Provider will promptly report to you any compromise of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Data of which Provider becomes aware.
  4. Service Levels and Support Obligations. The specific service levels and support obligations for the Services shall be detailed in the Order Form. By this reference, all terms, conditions, and obligations specified in the Order Form are hereby included and binding as if fully set forth herein.
  5. Availability. Provider will use reasonable efforts to make the hosted elements of the Services available for remote access 99% of the time each calendar month of the Term, excluding Excused Outages (as defined below) (“Availability”). Downtime as a result of any causes beyond the control of Provider or that are not reasonably foreseeable by Provider, including, without limitation, by any of the events noted below, are excluded from the Availability calculations (collectively, “Excused Outages”):
    1. Issues in your environment affecting connectivity or interfering with the Services, including, without limitation, your telecommunications connection or any of your other software or equipment, your firewall software, hardware or security settings, your configuration of anti-virus software or anti-spyware or malware software, or your operator errors;
    2. any third party software, hardware, or telecommunication failures, including internet slow-downs or failures;
    3. Force Majeure Events, as defined in Section 18.1 (Force Majeure);
    4. issues related to third party domain name system (DNS) errors or failures;
    5. scheduled maintenance of the Services, conducted on a regular basis during non-peak hours; and
    6. emergency maintenance of the Services.

  1. In the event Provider fails to achieve the Availability requirement, Provider will use commercially reasonable efforts to correct the interruption as promptly as practicable. In the event Provider fails to achieve the Availability requirement in two (2) consecutive months during the Term of the Order Form, you may terminate the Order Form within thirty (30) days of the end of the second consecutive month upon legal notice as described in the Order Form, without further obligation. Termination will constitute your sole and exclusive remedy and Provider’s sole and exclusive liability for failure to achieve the Availability requirement.
  2. Privacy Policy. Please review Provider’s Privacy Policy located in the Order Form for details on the manner in which Provider collects, uses, discloses, and otherwise manages your personal information.
  3. Business Associate Agreement. If Provider needs to access, use, receive, maintain, transmit, or create “Protected Health Information” (as such term is defined by the Health Insurance Portability and Accountability Act of 1996, as amended, including by the Health Information Technology for Economic and Clinical Health Act of 2009, and the regulations promulgated thereunder (“HIPAA”)) in connection with its performance of these Terms, the parties agree that the Business Associate Agreement (“BAA”) attached hereto as Attachment A shall apply. The BAA forms an integral part of the Terms and shall control with respect to the treatment of Protected Health Information in the event of a conflict between the terms of the BAA and these Terms.
  4. Proprietary Rights. You acknowledge and agree that (a) all Services are protected by intellectual property rights, as applicable, of Provider and its vendors/licensors and that you have no right to transfer or reproduce any of the foregoing or any software provided with the Services or prepare any derivative works with respect to, or disclose Confidential Information (as defined in Section 155 (Confidentiality)) pertaining to, any Services or any part of them, and (b) that Provider and its licensors own all right, title, and interest in and to the Services, including any changes or modifications made to the Services performed in connection with these Terms, together with all ideas, architecture, algorithms, models, processes, techniques, user interfaces, database design and architecture, and “know-how” embodying the Services.
  5. Your Data. You grant Provider a non-exclusive, world-wide, royalty-free license to use the documents, information, graphics, data, content, and other materials input by you or on your behalf into the Services (“Your Data”) for purposes of performing these Terms. You will be responsible for obtaining all rights, permissions, and authorizations to grant the foregoing license. You grant Provider a non-exclusive, perpetual, irrevocable, fully-paid- up, royalty-free license to use, copy, distribute, and otherwise exploit statistical and other aggregated data derived from your use of Services (the “Aggregated Data”) for Provider’s business purposes, including training of its artificial intelligence and the provision of products and services to Provider’s customers, provided that the Aggregated Data is de-identified or combined with similar data from Provider’s other customers and does not include (directly or by inference) any information identifying you or any identifiable individual. The Aggregated Data will not be considered your Confidential Information.
  6. Feedback. You may provide suggestions, comments or other feedback (collectively, “Feedback”) to Provider with respect to its products and services, including the Services. Feedback is voluntary. Provider may use Feedback for any purpose without obligation of any kind. To the extent a license is required under your intellectual property rights to make use of the Feedback, you grant Provider an irrevocable, non-exclusive, worldwide, perpetual, fully-paid-up, royalty-free license to use the Feedback in connection with Provider’s business, including the enhancement of the Services.
  7. Third Party Vendors and Service Providers.
    1. DISCLAIMER. CERTAIN ELEMENTS OF THE SERVICES MAY BE PROVIDED BY OUR THIRD PARTY LICENSORS, SUPPLIERS, AND VENDORS (THE “THIRD PARTIES” AND THE “THIRD PARTY ELEMENTS”). YOU MAY ONLY USE THE THIRD PARTY ELEMENTS IN CONNECTION WITH THE SERVICES. YOU MAY NOT REVERSE ENGINEER, DECOMPILE, OR OTHERWISE ATTEMPT TO DERIVE THE TRADE SECRETS IN THE THIRD PARTY ELEMENTS. YOU AGREE: (I) THE THIRD PARTIES DISCLAIM ALL WARRANTIES, EXPRESS AND IMPLIED, WITH RESPECT TO THE SERVICES AND THIRD PARTY ELEMENTS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, TITLE, MERCHANTABILITY, QUIET ENJOYMENT, QUALITY OF INFORMATION, AND FITNESS FOR A PARTICULAR PURPOSE; (II) IN NO EVENT WILL THE THIRD PARTIES BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, PUNITIVE, EXEMPLARY, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE) ARISING OUT OF THE TERMS, THE SERVICES, OR THE THIRD PARTY ELEMENTS, EVEN IF THEY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES; (III) IN ANY EVENT, THE MAXIMUM LIABILITY OF ANY THIRD PARTY FOR ALL CLAIMS (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE) OF EVERY KIND WILL NOT EXCEED FIFTY DOLLARS ($50.00); AND (IV) YOU HEREBY IRREVOCABLY WAIVE ANY AND ALL CLAIMS, NOW KNOWN OR LATER DISCOVERED, THAT YOU MAY HAVE AGAINST THE THIRD PARTIES ARISING OUT OF THE TERMS, THE SERVICES, AND THE THIRD PARTY ELEMENTS. The Third Parties are intended third party beneficiaries of these Terms, capable of directly enforcing its terms.
    2. Third Party Products. The Services may support integrations with certain non-Provider software, software-as-a- service, data sources, or other products or services that are integrated with or otherwise accessible through the Services (“Third Party Products”). To enable the Services to access and receive your information from a Third Party Product, you may be required to provide credentials for such Third Party Product. By enabling use of the Services with any Third Party Product, you authorize Provider to access your accounts with such Third Party Product for the purposes described in these Terms. You are responsible for complying with any relevant terms and conditions of the Third Party Products or otherwise presented by the providers of Third Party Products and for maintaining appropriate accounts in good standing with the providers of the Third Party Products. You acknowledge and agree that Provider has no responsibility or liability for any Third Party Product, or how a Third Party Product uses or processes Your Data. Provider cannot ensure that the Services will maintain integrations with any Third Party Product and Provider may disable integrations of the Services with any Third Party Product at any time with or without notice to you. For clarity, these Terms govern your use of and access to the Services, even if accessed through an integration with a Third Party Product. TO THE EXTENT YOU USE FEATURES IN THE SERVICES THAT INTEGRATE WITH A THIRD PARTY PRODUCT AND YOU REQUEST THAT PROVIDER INTEGRATE WITH SUCH THIRD PARTY PRODUCT’S BETA OR PRE-RELEASE FEATURES (“THIRD PARTY BETA RELEASES”), PROVIDER WILL HAVE NO LIABILITY ARISING OUT OF OR IN CONNECTION WITH PROVIDER’S PARTICIPATION IN SUCH THIRD PARTY BETA RELEASES OR YOUR USE OF SUCH INTEGRATED FEATURES.
  8. Warranties.
    1. Your Warranty. You represent and warrant that (a) you have full power, capacity, and authority to enter into these Terms and to grant the license set forth in Section 9 (Your Data); and (b) use of Your Data as permitted under these Terms and your use of the Services does not and will not infringe the intellectual property, publicity, privacy, or other rights of any person and is not defamatory, obscene, or in violation of applicable foreign, federal, state and local laws, rules and regulations (including but not limited to applicable policies and laws related to spamming, privacy, and consumer protection) (collectively, “Applicable Laws”).
    2. Provider Warranty. During the Term, Provider represents and warrants: (a) the Services will substantially comply with the Documentation; (b) it will use commercially reasonable efforts to screen the Services for viruses, Trojan horses, worms, and other similar intentionally harmful or destructive code; and (c) it will comply with Applicable Laws in performing these Terms. In the event of a breach of the warranty in this Section 12.2, Provider’s sole and exclusive liability and your sole and exclusive remedy will be to perform the defective Service again. In the event Provider is unable through reasonable efforts to correct the defective Service within thirty (30) days from receipt of notice from you of the breach, you may elect to terminate these Terms and receive a pro- rated refund of any pre-paid, unused recurring fees for the non- conforming Services.
    3. Disclaimer of Warranties. EXCEPT AS PROVIDED IN SECTION 12.2 (PROVIDER WARRANTY), THE SERVICES ARE PROVIDED “AS IS” AND “AS-AVAILABLE,” WITH ALL FAULTS, AND WITHOUT WARRANTIES OF ANY KIND. PROVIDER AND ITS VENDORS AND LICENSORS DISCLAIM ALL OTHER WARRANTIES, EXPRESS AND IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT, QUALITY OF INFORMATION, AND TITLE/NON- INFRINGEMENT. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY PROVIDER OR ITS AUTHORIZED REPRESENTATIVES WILL CREATE ANY OTHER WARRANTIES OR IN ANY WAY INCREASE THE SCOPE OF PROVIDER’S OBLIGATIONS HEREUNDER. THE SERVICES MAY BE USED TO ACCESS AND TRANSFER INFORMATION OVER THE INTERNET. YOU ACKNOWLEDGE AND AGREE THAT PROVIDER AND ITS VENDORS AND LICENSORS DO NOT OPERATE OR CONTROL THE INTERNET AND THAT: (I) VIRUSES, WORMS, TROJAN HORSES, OR OTHER UNDESIRABLE DATA OR SOFTWARE; OR (II) UNAUTHORIZED USERS (E.G., HACKERS) MAY ATTEMPT TO OBTAIN ACCESS TO AND DAMAGE YOUR DATA, WEB-SITES, COMPUTERS, OR NETWORKS. PROVIDER WILL NOT BE RESPONSIBLE FOR SUCH ACTIVITIES.
  9. Provider Indemnity. Provider will defend and indemnify you and hold you harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, and expenses (including but not limited to reasonable attorneys’ fees) arising from a claim by a third party that your licensed use of the Services infringes that third party’s United States patent, copyright, or trade secret rights. The foregoing indemnification obligation of Provider is contingent upon you promptly notifying Provider in writing of such claim, permitting Provider sole control of the defense or settlement of such claim, and providing Provider reasonable assistance (at Provider’s expense) in connection therewith. If a claim of infringement under this Section 14 (Indemnity) occurs, or if Provider determines a claim is likely to occur, Provider will have the right, in its sole discretion, to either (a) procure for you the right or license to continue to use the Services free of the infringement claim, or (b) modify the Services to make them non-infringing, without loss of material functionality. If neither of these remedies is reasonably available to Provider, Provider may, in its sole discretion, immediately terminate these Terms and return the prorated portion of any pre-paid, unused fees for the relevant Services. Notwithstanding the foregoing, Provider will have no obligation with respect to any claim of infringement that is based upon or arises out of (i) the use or combination of the Services with any hardware, software, products, data, or other materials not provided by Provider, (ii) modification or alteration of the Services by anyone other than Provider, (iii) use of the Services in excess of the rights granted in these Terms, or (iv) Your Data (collectively, the “Excluded Claims”). The provisions of this Section 13 (Indemnity) state the sole and exclusive obligations and liability of Provider and its licensors and suppliers for any claim of intellectual property infringement arising out of or relating to the Services or these Terms, and are in lieu of any implied warranties of non- infringement, all of which are expressly disclaimed.
  10. Your Indemnity. You will defend and indemnify Provider and hold it harmless from any and all claims, losses, deficiencies, damages, liabilities, costs, fines, sanctions, and expenses (including but not limited to reasonable attorneys’ fees) incurred by Provider as a result of any claim by a third party arising from your breach of these Terms or use of the Services.
  11. Confidentiality. During the course of these Terms, each party may disclose to the other certain non-public information or materials relating to a party's products, intellectual property, business, marketing programs and efforts, and other confidential information and trade secrets (“Confidential Information”). Notwithstanding the foregoing, Confidential Information does not include information that: (a) is or becomes publicly available through no breach by the receiving party of these Terms; (b) was previously known to the receiving party prior to the date of disclosure, as evidenced by contemporaneous written records; (c) was acquired from a third party without any breach of any obligation of confidentiality; (d) was independently developed by a party hereto without reference to Confidential Information of the other party; or (e) is required to be disclosed pursuant to a subpoena or other similar order of any court or government agency, provided, however, that party receiving such subpoena or order will promptly inform the other party in writing and provide a copy thereof, and will only disclose that Confidential Information necessary to comply with such subpoena or order. Except as expressly provided herein, the receiving party will not use or disclose any Confidential Information of the disclosing party without the disclosing party's prior written consent, except disclosure to and subsequent uses by the receiving party's employees or consultants on a need-to-know basis, provided that such employees or consultants have executed written agreements restricting use or disclosure of such Confidential Information that are at least as restrictive as the receiving party's obligations under this Section. Subject to the foregoing nondisclosure and non-use obligations, the receiving party agrees to use at least the same care and precaution in protecting such Confidential Information as the receiving party uses to protect the receiving party's own Confidential Information and trade secrets, and in no event less than reasonable care. Each party acknowledges that due to the unique nature of the other party's Confidential Information, the disclosing party will not have an adequate remedy in money or damages in the event of any unauthorized use or disclosure of its Confidential Information. In addition to any other remedies that may be available in law, in equity or otherwise, the disclosing party will be entitled to seek injunctive relief to prevent such unauthorized use or disclosure.
  12. Limitation of Liability and Damages. NEITHER PROVIDER NOR ITS VENDORS AND LICENSORS WILL HAVE ANY LIABILITY TO YOU OR ANY THIRD PARTY FOR ANY LOSS OF PROFITS, LOSS OF SALES, TRADING LOSSES, LOSS OR INTERRUPTION OF BUSINESS, LOSS OR CORRUPTION OF DATA, OR ANY OTHER INCIDENTAL, CONSEQUENTIAL, OR SPECIAL LOSS OR DAMAGE, INCLUDING EXEMPLARY AND PUNITIVE, OF ANY KIND OR NATURE RESULTING FROM OR ARISING OUT OF THE TERMS, INCLUDING USE OF OR INABILITY TO USE THE SERVICES, EVEN IF PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE TOTAL LIABILITY OF PROVIDER AND ITS VENDORS AND LICENSORS TO YOU OR ANY THIRD PARTY ARISING OUT OF THE TERMS OR THE SERVICES, IN CONNECTION WITH ANY CLAIM OR TYPE OF DAMAGE (WHETHER IN CONTRACT OR TORT, INCLUDING NEGLIGENCE) WILL NOT EXCEED THE FEES, IF ANY, PAID UNDER THE ORDER FORM BY YOU DIRECTLY AND PROPORTIONATELY ATTRIBUTABLE TO THE SERVICES DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. THIS LIMITATION OF LIABILITY WILL APPLY EVEN IF THE EXPRESS WARRANTIES SET FORTH ABOVE FAIL OF THEIR ESSENTIAL PURPOSE.
  13. Term; Termination.
    1. Term; Termination. These Terms begin as of the Order Form effective date or the date on which you access or use the Services, whichever is earlier (the “Effective Date”) and will continue until all your Order Forms expire unless earlier terminated as set forth herein. The Terms, including any Order Forms executed hereto and the BAA, will automatically terminate upon Mayo’s or Provider’s notice to you in the event of your material breach of any of these Terms or the Order Form if you fail to cure such breach within thirty (30) days of Provider’s notice.
    2. Effect of Termination. Upon termination of these Terms, the Order Form, or termination of a particular Service for any reason: (a) your and all End Users’ access to and use of the Services will cease as of the effective date of termination; (b) you will pay to Provider or to Mayo (as specified in the applicable Order Form) all undisputed sums due to Provider or to Mayo, as applicable, for Services through the effective date of such expiration or termination (prorated as appropriate); and (c) Provider will reasonably cooperate with you in transitioning Your Data back to you.
  14. General Provisions.
    1. Force Majeure. Except for the payment of money as described in the Order Form, neither party will be liable for any failure or delay in performance under these Terms which is due to any event beyond the reasonable control of such party, including without limitation, fire, explosion, unavailability of utilities or raw materials, internet delays and failures, telecommunications failures, unavailability of components, labor difficulties, war, riot, act of God, quarantines, pandemic, export control regulation, laws, judgments or government instructions (“Force Majeure Events”).
    2. Governing Law and Venue. These Terms will be construed according to, and the rights of the parties will be governed by, the laws of the State in which Provider’s principal place of business is located, without reference to its conflict of laws rules requiring or permitting the application of the laws of a different jurisdiction. The parties agree that all actions or proceedings arising in connection with these Terms will be tried and litigated exclusively in the state or federal courts at the location of Provider’s principal place of business, and you hereby irrevocably consent to the exclusive jurisdiction of the courts in such location.
    3. Restriction on Use of Name. Neither party to these Terms will use the names or trademarks of the other party or any of the other party's affiliated entities in any news release, advertising, publicity, endorsement, promotion, or commercial communication without the prior written approval of the other party for the particular use contemplated.
    4. Survival. The following Sections will survive termination or expiration of these Terms: 8 (Proprietary Rights), 12.3 (Disclaimer of Warranties), 13 (Provider Indemnity), and 14 (Your Indemnity) (with respect to 13 and 14, for claims accruing prior to termination), 15 (Confidentiality), 16 (Limitation of Liability and Damages), 17 (Termination), and 18 (General Provisions).

Attachment A
BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT (“Business Associate Agreement or BAA”) is made effective as of the Effective Date of the Terms by and between [Solution Developer Name] (“Business Associate”) and the company or other legal entity agreeing to the Terms (“Covered Entity”). This BAA forms an integral part of the Subscription Terms of Service (“Terms”) between Business Associate and Covered Entity. The purpose of this BAA is to satisfy certain obligations of Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the implementing regulations to ensure the integrity and confidentiality of Protected Health Information.

In consideration of the foregoing and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Business Associate and Covered Entity agree as follows:

  1. Definitions. Capitalized terms used, but not otherwise defined, in these Terms shall have the meanings given them in HIPAA or HITECH. For convenience of reference, the definitions of terms as of the Effective Date are as follows:
    1. “Protected Health Information” (herein “PHI”) means Individually Identifiable Health Information that Business Associate receives from Covered Entity or from another business associate of Covered Entity or which Business Associate creates for Covered Entity which is transmitted or maintained in any form or medium. “Protected Health Information” shall not include education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g, or education records described in 20 U.S.C. §1232g(a)(4)(B)(iv), or employment records held by Covered Entity in its role as employer.
    2. “Services” means the services for or functions on behalf of Covered Entity performed by Business Associate pursuant to any underlying agreement(s) between Covered Entity and Business Associate (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103.
    3. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and 164.
  2. Obligations and Activities of Business Associate.
    1. Non-Disclosure. Business Associate will not Use or Disclose PHI other than as permitted or required by these Terms or as Required by Law.
    2. Safeguards. Business Associate will Use appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by these Terms. Business Associate will develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the integrity, availability and confidentiality of and to prevent non-permitted or violating Use or Disclosure of PHI, including electronic PHI that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate will comply with the applicable requirements of the Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to Covered Entity as a Covered Entity in the performance of such obligations.
    3. Mitigation. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an unauthorized Use or Disclosure of PHI by Business Associate or its Workforce or Subcontractors in violation of the requirements of these Terms or applicable law. Business Associate will cooperate and ensure cooperation of its Workforce and Subcontractors with Covered Entity in the investigation and resolution of any Breach, Use or Disclosure of PHI which violates the terms of these Terms.
    4. Reporting. Business Associate will notify the Privacy Officer of Covered Entity, in writing, of any Use or Disclosure of PHI that is not permitted or required by these Terms or any Security Incident of which Business Associate becomes aware as soon as practicable but in no event more than seventy-two (72) hours. If an impermissible Use or Disclosure or a Security Incident constitutes a Breach of Unsecured Protected Health Information, then Business Associate shall supplement any written reports required hereunder with all available information required for Breach notification, including the content required pursuant to 45 C.F.R. §164.410(c).
    5. Subcontractors. Business Associate will ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions contained in these Terms with respect to PHI.
    6. Access. Business Associate will provide access, within ten (10) business days of receiving a written request from Covered Entity, to PHI from a Designated Record Set of Covered Entity to Covered Entity in order to meet the requirements under 45 C.F.R. §164.524. This provision does not apply if Business Associate and its Workforce and Subcontractors have no PHI from a Designated Record Set of Covered Entity.
    7. Amendments. Business Associate will make, any amendment(s) to PHI in a Designated Record Set of Covered Entity that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526.
    8. Accounting for Disclosures. Business Associate will document such Disclosures by Business Associate of PHI and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R §164.528. Business Associate agrees to provide to Covered Entity, within ten (10) business days of receiving a written request from Covered Entity, information collected in accordance with the preceding sentence, to permit Covered Entity to respond to a request by an Individual for such an accounting of disclosures.
  3. Obligations of Covered Entity.
    1. In accordance with 42 U.S.C. §17935(b) and 45 C.F.R. §164.502(b)(1) and any guidance issued thereunder, Covered Entity shall make reasonable efforts to limit its use, disclosures and requests of PHI to Business Associate to the minimum PHI necessary for the Business Associate to provide Services to Covered Entity.
    2. Covered Entity shall inform Business Associate of its privacy practices and any agreed restrictions on PHI as follows:
      1. Covered Entity shall advise Business Associate of any limitations in the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
      2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes affect Business Associate's Use or Disclosure of PHI.
      3. Covered Entity shall notify Business Associate of any restrictions on Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restrictions may affect Business Associate's Use or Disclosure of PHI.
    3. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would violate the Privacy Rule or any other applicable law if done by Covered Entity, except that Business Associate may, in its discretion, Use or Disclose PHI for management and administrative activities of Business Associate
  4. Permitted Uses and Disclosures by Associate.
    1. Functions and Activities on Covered Entity's Behalf. Except as otherwise limited in these Terms or the Underlying Agreement between Business Associate and Covered Entity, Business Associate may request, Use, or Disclose PHI on behalf of, or to provide Services to, Covered Entity only for purposes authorized by Covered Entity in an Underlying Agreement, if such Use or Disclosure of PHI would not violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity itself, except as set forth in Section 4.2.
    2. Business Associate's Operations. Except as otherwise limited in these Terms or any other agreement between Business Associate and Covered Entity: (a) Business Associate may Use PHI for Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities; (b) Business Associate may Disclose PHI for Business Associate's proper management and administration, provided that Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that (i) it will remain confidential and will be Used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and (ii) the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
  5. Term and Termination.
    1. Term. The term of these Terms shall commence as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the provisions of this Section 5.
    2. Termination for Cause. As provided in HIPAA, including 45 C.F.R. §164.504(e)(2)(iii), upon Covered Entity's reasonable determination that Business Associate has breached a material term of this BAA, Covered Entity shall be entitled to give Business Associate an opportunity to cure. If Business Associate does not cure the breach or end the violation according to Section 17.1 of the Terms.
    3. Effect of Termination. Upon completion of the functions performed on behalf of Covered Entity or whenever the PHI is no longer necessary to perform such functions, Business Associate agrees to return, or destroy, except to the extent infeasible, all PHI to Covered Entity. If the return or destruction of some or all such PHI is infeasible, Business Associate will continue to extend the protections of these Terms to the PHI for as long as Business Associate retains the PHI.
  6. Indemnification. Business Associate agrees to indemnify, defend and hold harmless Covered Entity and its respective employees, staff, officers and directors, (“Covered Entity Indemnified Parties”) from and against any and all liability, losses, costs, fines, sanctions, or penalties the Covered Entity Indemnified Parties may suffer, pay or incur as a result of third party claims, demands or actions, including those imposed by any regulator, against any of the Covered Entity Indemnified Parties arising from the negligent, reckless or intentional misconduct or inactions of the Business Associate or its officers, directors, employees, staff or contractors, or the failure of the Business Associate or its officers, directors, employees, staff or contractors to comply with this BAA or applicable laws, rules and regulations. For clarity, the indemnification obligations in this Section include reimbursement to Covered Entity for mitigation costs incurred by Covered Entity arising from a privacy breach, such as costs associated with patient notifications related to a privacy breach, such as, print or broadcast media announcements, securing credit reporting or monitoring services, and obtaining identity theft insurance on behalf of patients and related third parties.
  7. Limitation of Liability. WITH THE EXCEPTION OF BUSINESS ASSOCIATE’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 6, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, OR INCIDENTAL DAMAGES, INCLUDING ANY LOST PROFITS, ARISING FROM OR RELATING TO THIS BAA EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITH RESPECT TO BUSINESS ASSOCIATE’S INDEMNIFICATION OBLIATIONS IN SECTION 6, THE CUMULATIVE TOTAL LIABILITY OF BUSINESS ASSOCIATE WILL NOT EXCEED THE GREATER OF U.S. $10,000,000.00 OR THE FOLLOWING SUPER CAPS BASED ON THE VOLUME OF INDIVIDUALS’ PHI AFFECTED:
Range of Individuals AffectedSuper Cap
500,001 - 4,000,000$15,000,000.00
4,000,000 or more$20,000,000.00
  1. Government Access to Records. Business Associate will make internal practices, books, and records, relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for purposes of the Secretary determining Covered Entity's compliance with HIPAA and HITECH.
  2. Prohibition on Sale of PHI. Except as provided in Section 13405(d)(2) of HITECH, neither Business Associate nor Covered Entity shall receive remuneration in exchange for any PHI of an Individual absent a HIPAA compliant authorization from such Individual.
  3. Subscription Terms of Service. For avoidance of doubt, this BAA is subject to the Terms between Covered Entity and Business Associate, including but not limited to the exclusions and limitations on liability set forth therein.