Contact Sales | 855.861.8833 | Client Portal | Remote Support

mobile-logo
Top
 

Legal

GENERAL CONTRACT FOR SERVICES 

This Contract for Services is made effective as of dates outlined on any Scope of Service, Quote, or Proposal, by and between you, the entity making purchases under this Agreement and its Affiliates (“Customer”) and Sunset Technologies Group Inc. (“Sunset”) of 8236 Arthur St NE # 5, Minneapolis, MN 55432.

BY CLICKING “I AGREE” WHEN PROMPTED, SIGNING BELOW, OR ORDERING, PURCHASING, ACCEPTING, OR USING SERVICES PROVIDED BY SUNSET, YOU ACKNOWLEDGE YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO ABIDE BY ITS TERMS. IF YOU ACCEPT ON BEHALF OF A BUSINESS OR LEGAL ENTITY, YOU REPRESENT AND WARRANT YOU HAVE THE AUTHORITY TO BIND THAT LEGAL ENTITY TO THIS AGREEMENT AND “YOU” WILL REFER TO THAT LEGAL ENTITY. IF YOU DO NOT UNCONDITIONALLY AGREE TO THE FOREGOING, DISCONTINUE USE OF SUNSET’S SERVICES OR PRODUCTS IMMEDIATELY. ACCEPTANCE OF THIS AGREEMENT IS EXPRESSLY LIMITED TO THE TERMS OF THIS AGREEMENT.  SUNSET RESERVES THE RIGHT TO UPDATE THIS AGREEMENT FROM TIME TO TIME.

  1. MASTER AGREEMENT.   This is a master agreement (“Agreement”) that governs all services that Sunset performs or provides to Customer (collectively, the “Services”) and all software, equipment, and devices Sunset sells or provides to Customer (collectively, the “Products”).  The scope, terms, and fees charged for the Services outlined in proposal(s), quote(s), or scope(s) of services that Sunset provides to Customer (each, a “SOS”). A SOS may be accepted electronically or by physically signing it and, once Customer and Sunset mutually agree to a SOS, the SOS will automatically become a part of, and governed under, the terms of this Agreement.  Conflicts. If there is a material difference between the language in a SOS and the language in this Agreement, then the language of the SOS will control, except in situations involving warranties, limitations of liability, or termination of this master agreement.  Under those limited circumstances, the terms of this Agreement will control unless the SOS expressly states that it is overriding the conflicting provisions of this Agreement.
  2. PAYMENT. Customer agrees to pay fees pursuant to each signed quote, proposal or SOS.

Payment shall be made to Sunset Technologies, 8236 Arthur St NE # 5, Minneapolis, MN 55432, via ACH. An ACH agreement is included in the Exhibits.

If any invoice is not paid when due, interest will be added to and payable on all overdue amounts at 1.5 percent per year, or the maximum percentage allowed under applicable Minnesota laws, whichever is less.

Customer shall pay all costs of collection, including without limitation, reasonable attorney fees. In addition to any other right or remedy provided by law, if Customer fails to pay for the Services when due, Sunset has the option to treat such failure to pay as a material breach of this Contract and may cancel this Contract and/or seek legal remedies.

The price set forth in our SOS’s does not include any sales, use, service, or similar taxes that might be payable by reason of the provision of the services, and Customer will pay all such taxes which may become due in conjunction with the services and after Sunset has provided Customer with 30 days’ notice of such tax becoming due.

Hardware (if applicable): this pricing includes an assumption that the hardware purchased via a payment plan option (Hardware for Life) is provided at cost. This cost will be passed on to the customer in the event of an early termination.

  1. TERM. This Contract will remain in effect for a period of either one year or three years as outlined in the SOS. This Contract will automatically renew for successive one-year terms at the end of the initial term unless either party provides a 60-day notice to terminate.
  2. WORK PRODUCT OWNERSHIP. Any copyrightable works, ideas, discoveries, inventions, patents, products, or other information (collectively the “Work Product”) developed in whole or in part by Sunset in connection with the Services will be the exclusive property of Sunset. Upon request, Customer will execute all documents necessary to confirm or perfect the exclusive ownership of Sunset to the Work Product.
  3. CONFIDENTIALITY. Sunset, and its employees, agents, or representatives will not at any time or in any manner, either directly or indirectly, use for the personal benefit of Sunset, or divulge, disclose, or communicate in any manner, any information that is proprietary to Customer. Sunset and its employees, agents, and representatives will protect such information and treat it as strictly confidential. This provision will continue to be effective after the termination of this Contract. Any oral or written waiver by Customer of these confidentiality obligations which allows Sunset to disclose Customer’s confidential information to a third party will be limited to a single occurrence tied to the specific information disclosed to the specific third party, and the confidentiality clause will continue to be in effect for all other occurrences.
  4. WARRANTY. Sunset shall provide its services and meet its obligations under this Contract in a timely and workmanlike manner, using knowledge and recommendations for performing the services which meet generally acceptable standards in Sunset’s community and region, and will provide a standard of care equal to, or superior to, care used by service providers similar to Sunset on similar projects.

HIPAA (If Applicable). In the event that Customer is a covered entity as outlined under Health Insurance Portability and Accountability Act, Sunset represents that it will make best efforts to keep the Customer’s hardware compliant as outlined in the HIPAA HITECH Act. This representation is dependent upon Customer adhering to the “Minimum Standards” outlined under section 30 of this agreement. If Customer declines any compliance services offered by Sunset, Sunset’s liability in the event of a data breach will be waived.

  1. LIMITATION OF LIABILITY. THE FOREGOING WARRANTY IS EXCLUSIVE AND IS IN LIEU OF ALL OTHER WARRANTIES, CONDITIONS, REPRESENTATIONS AND GUARANTEES, WHETHER EXPRESS OR IMPLIED, ARISING BY LAW CUSTOM, ORAL OR WRITTEN STATEMENTS OF SUNSET (INCLUDING ANY AUTHORIZED REPRESENTATIVE OF SUNSETPERFORMING SERVICES ON SUNSET’S BEHALF) INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OF FITNESS FOR A PARTICULAR PURPOSE OR OF ERROR-FREE, VIRUS-FREE OR UNINTERRUPTED USE OF ANY DELIVERABLE PROVIDED HEREUNDER.

Limitation of Damages. Customer agrees that Sunset’s liability for damages, regardless of the form of action, shall be limited to the cost to remedy the problem or the total fees received for the most recent 12 months tied to the service that caused the damage, under this Agreement, whichever is the smaller amount. In no event shall Sunset be liable for any consequential damages, even if Sunset has been advised of the possibility of such damages.

Customer also agrees to release language outlined below under the General Release section.

In providing Services, Sunset may utilize software programs and/or hardware devices. While Sunset shall exercise reasonable efforts to ensure that each deliverable does not contain any harmful code or instruction (collectively “virus”) which may adversely affect Customer’s data processing operating environment, Customer shall remain solely responsible to perform all reasonable checks and reviews of each deliverable to the extent it deems necessary to identify and prevent any virus from being incorporated into Customer’s data processing environment.

  1. TERMINATION. This Agreement may be terminated (i) by either Sunset or Customer, with cause upon 30 days’ prior written notice; or (ii) by Sunset immediately upon Customer’s bankruptcy (voluntary or involuntary), insolvency or (iii). The Customer* or Sunset may terminate this agreement without cause with sixty (60) days written notice.

*Early Termination Fee – This agreement may be terminated prematurely without cause by Customer with a sixty (60) day written notice in which the Customer is responsible for an Early Termination Fee. The Early Termination Fees will include fees for the remaining months of the current one-year or three-year agreement that is in force.  For example, if the effective date is January 1, and the without cause termination date is September 30th of the third year of the agreement, the remaining three months will be due as the Early Termination Fee.

*In addition to monthly amounts, Customer will reimburse the hardware costs if applicable. 

Upon termination of this Agreement (i) Customer shall promptly pay all fees payable to Sunset in respect of Services performed through the date of termination; and (ii) each party shall return or destroy, at the direction of the other party, all confidential proprietary data and information of the other party then in its possession.

  1. OBLIGATIONS OF CUSTOMER. 
  2. Customer will immediately notify Sunset upon learning of any significant problem with the performance of the network.
  3. Customer will cooperate with Sunset in connection with its performance of the services by providing access to Customer’s physical premises as reasonably necessary from time to time.
  4. Customer will, from time to time, purchase such software and hardware as may be reasonably necessary for the necessary operation of its network.
  5. Customer will be in coordination with Sunset for performing the day-to-day tasks associated with creating archival or backup copies of data stored on the network servers and/or on the hard drives of individual workstations. If backup services are not purchased Customer releases Sunset from all liability as outlined below.
  6. Customer will notify Sunset with a commercially reasonable time regarding any change in the identity of Customer’s network administrator.
  7. DEFAULT. The occurrence of any of the following shall constitute a material default under this Contract:
  8. The failure to make a required payment when due.
  • b. The insolvency or bankruptcy of either party.
  1. The subjection of any of either party’s property to any levy, seizure, general assignment for the benefit of creditors, application, or sale for or by any creditor or government agency.
  2. The failure to make available or deliver the Services in the time and manner provided for in this Contract.
  3. The failure of Customer to fulfill its Obligations.
  4. REMEDIES. In addition to any and all other rights a party may have available according to law, if a party defaults by failing to substantially perform any provision, term or condition of this Contract (including without limitation the failure to make a monetary payment when due), the other party may terminate the Contract by providing written notice to the defaulting party. This notice shall describe with sufficient detail the nature of the default. The party receiving such notice shall have 30 days from the effective date of such notice to cure the default(s). Unless waived in writing by a party providing notice, the failure to cure the default(s) within such time period shall result in the automatic termination of this Contract.
  5. FORCE MAJEURE. If performance of this Contract or any obligation under this Contract is prevented, restricted, or interfered with by causes beyond either party’s reasonable control (“Force Majeure”), and if the party unable to carry out its obligations gives the other party prompt written notice of such event, then the obligations of the party invoking this provision shall be suspended to the extent necessary by such event. The term Force Majeure shall include, without limitation, acts of God, fire, explosion, vandalism, storm or other similar occurrence, orders or acts of military or civil authority, or by national emergencies, insurrections, riots, or wars, or strikes, lock-outs, work stoppages, or supplier failures. The excused party shall use reasonable efforts under the circumstances to avoid or remove such causes of non-performance and shall proceed to perform with reasonable dispatch whenever such causes are removed or ceased. An act or omission shall be deemed within the reasonable control of a party if committed, omitted, or caused by such party, or its employees, officers, agents, or affiliates.
  6. DISPUTE RESOLUTION. The parties will attempt to resolve any dispute out of or relating to this Agreement through friendly negotiations amongst the parties. If the matter is not resolved by negotiation, the parties will resolve the dispute using the below Alternative Dispute Resolution (ADR) procedure.

Any controversies or disputes arising out of or relating to this Agreement will be resolved by binding arbitration under the rules of the American Arbitration Association. The arbitrator’s award will be final, and judgment may be entered upon it by any court having proper jurisdiction.

  1. ASSIGNMENT. Neither this Contract nor any rights or obligations hereunder may be assigned or otherwise transferred by Customer without the prior written consent of Sunset.
  2. EMPLOYEE SOLICITATION. Customer shall not without the written consent of Sunset, solicit employ or offer employment to any Sunset employee (or any employee of an authorized representative of Sunset performing services on behalf of Sunset) during the term of this Contract or within one (1) year following the termination of his or her employment with Sunset. In recognition of the fact that the disruption to Sunset caused by Customer’s hiring of any of Sunset’s employees or independent contractors may be significant and it is difficult of estimation, the parties agree to a placement fee as a reasonable forecast of just compensation.   In the event of Customer hiring any of Sunset’s employees or independent contractors contrary to this section of this Agreement, Customer shall pay Sunset a one-time placement fee of $40,000 per occurrence.  The parties agree that this placement fee is just compensation and not a penalty.
  3. ENTIRE AGREEMENT. This Contract contains the entire agreement of the parties, and there are no other promises or conditions in any other agreement whether oral or written concerning the subject matter of this Contract. This Contract supersedes any prior written or oral agreements between the parties.
  4. SEVERABILITY. If any provision of this Contract will be held to be invalid or unenforceable for any reason, the remaining provisions will continue to be valid and enforceable. If a court finds that any provision of this Contract is invalid or unenforceable, but that by limiting such provision it would become valid and enforceable, then such provision will be deemed to be written, construed, and enforced as so limited.
  5. AMENDMENT. This Contract may be modified or amended in writing by mutual agreement between the parties, if the writing is signed by the party obligated under the amendment.
  6. GOVERNING LAW. This Contract shall be construed in accordance with the laws of the State of Delaware, without giving effect to its conflict of laws provisions.
  7. NOTICE. Any notice or communication required or permitted under this Contract shall be sufficiently given if delivered in person or by certified mail, return receipt requested, to the address set forth in the opening paragraph or to such other address as one party may have furnished to the other in writing.
  8. WAIVER OF CONTRACTUAL RIGHT. The failure of either party to enforce any provision of this Contract shall not be construed as a waiver or limitation of that party’s right to subsequently enforce and compel strict compliance with every provision of this Contract.
  9. ATTORNEY’S FEES TO PREVAILING PARTY. In any action arising hereunder or any separate action pertaining to the validity of this Agreement, the prevailing party shall be awarded reasonable attorney’s fees and costs, both in the trial court and on appeal.
  10. CONSTRUCTION AND INTERPRETATION. The rule requiring construction or interpretation against the drafter is waived. The document shall be deemed as if it were drafted by both parties in a mutual effort.
  11.  DATA THEFT AND SECURITY BREACH. Neither this Agreement nor any SOS shall constitute an absolute guaranty regarding the security of data of Customer.  Absent an SOS dealing with cybersecurity, Sunset does not obligate itself to design, advise or implement administrative, physical or technical safeguards to protect against unauthorized access, disclosure or use of personally identifiable information maintained by Customer.

Sunset has taken commercially reasonable steps to provide a secure system within the limitations existing in network and computer infrastructure. Sunset does not warrant or guarantee that communication over the wires shall be secure from monitoring or tampering, nor that information stored on any computer connected to Customer’s network will be secure from monitoring or tampering. Sensitive or confidential information (such as credit card numbers or other financial information, medical information or trade secrets) sent by Customer or Customer’s users is at Customer’s sole risk and Sunset shall have no liability whatsoever for any claims, losses, action, damages, suits or proceedings arising out of or otherwise relating to such actions by Customer.

  1.   INDEMNIFICATION.Customer hereby agrees to defend, protect, indemnify and hold harmless Sunset for claims arising out of the Customer’s use of software or hardware that is in the Customer’s sole possession. Customer shall also indemnify Sunset against any claim that any data, materials, items or information supplied to Sunset under the Agreement infringes any US patent, copyright, trademark or licensing within the jurisdictions where Sunset is provided with such information.

In addition to onsite support, and for the purposes of providing proactive monitoring, Sunset may access Customer’s network remotely provide Services. Customer authorizes Sunset to access Customer’s network remotely.

  1. WAIVER OF SUBROGATION. To the extent permitted by law, each party waives all rights against the other for recovery of damages to the extent these damages are covered by a policy of insurance.
  2.  THIRD PARTY PRODUCTS.To the extent that Customer has ordered services or products provided by a third party, Customer acknowledges such third-party services or products may require Customer to accept an End User License Agreement (“EULA”) or other third-party services agreement and that such agreement is a binding agreement between such third-party provider and Customer. Sunset retains all right, title, copyright, patent, trademark, trade secret and all other proprietary interests to all services and any derivatives thereof. No title, copyright, patent, trademark, trade secret or other right of intellectual property not expressly granted under the Agreement is exchanged between the parties.  Customer acknowledges that Customer is acquiring products and services from Sunset as a reseller for a third-party manufacturer.  All restrictions and other terms pertaining to the third-party products or services are found only in the applicable agreement provided with the third-party products or services by the third-party manufacturer of the product and any such license agreement is only between the Customer and the third-party manufacturer of the product, and all warranties are applicable only against the third-party provider.
  3.  INDEPENDENT CONTRACTOR.  The relationship between the parties is that of an independent contractor, and nothing in this Agreement should be construed to create a partnership, joint venture, or employer-employee relationship.   Each party shall, at all times during the term of this Agreement, perform the duties and responsibilities herein without any control by the other party. Either party may realize a profit or loss in connection with performing the Services.  Either party may render similar services for the benefit of others.   Neither Party is an agent of the other party and is not authorized to make any representations, contract, or contract commitment on behalf of the other party.
  4.   CONFIDENTIALITY. Each party shall treat the information received from the other party that is designated as confidential or otherwise so identified, and/or any information that by its form, nature, content or mode of transmission would to a reasonable recipient be deemed confidential or proprietary (“Confidential Information”) as and not disclose or use such Confidential Information except in the performance of this Agreement. Each party agrees to use the same degree of care that it maintains with regard to its own information of similar or like importance. Company designates the Services, all information relating to the Services and the financial terms of this Agreement as Confidential Information. Both parties shall:

(i)            restrict disclosure of Confidential Information to employees and agents solely on a “need to know” basis;

(ii)           advise employees and agents of their confidentiality obligations;

(iii)          protect the confidential information of the disclosing party in the manner the disclosing party would protect such information;

(iv)          notify the other of any unauthorized possession or use of that party’s Confidential Information as soon as practicable after receiving notice of same; and

(v)           if either party is legally compelled in any litigation, administrative, or similar proceeding to disclose the other Party’s Confidential Information, such party shall immediately notify the other Party and reasonably cooperate with the other Party to seek a protective order for such Confidential Information, at the other Party’s expense.

Notwithstanding the foregoing, neither party shall be obligated to preserve the confidentiality of any information which:

(i)            was previously known;

(ii)           is a matter of public knowledge;

(iii)          was or is independently developed by the recipient;

(iv)          is released for disclosure with written consent;

(v)           is received from a third-party to whom the information was disclosed without restriction; or

(vi)          disclosed by the non-receiving party to other persons without similar restriction.

  1.            MINIMUM STANDARDS REQUIRED FOR SERVICES.  In order for Customer’s existing environment to qualify for services, the following requirements (“Minimum Standards”) must be met. If the Minimum Standards are not met, upgrades must be performed by Customer resources, a third-party, or by Sunset at additional cost to Customer under a separate SOS as a deliverables-based project at standard bill rates.

(i)              All hardware and systems must be covered under a currently active vendor support contract with replaceable parts readily available, and that all software is genuine, currently licensed and vendor-supported.

(ii)             All servers with Microsoft Windows Operating Systems must be running a Mainstream or Extended Support version and have all of the latest Microsoft Service Packs and critical updates installed.

(iii)            All servers and network devices must be protected by a fully operational, right-sized uninterruptible power supply (UPS) to protect against loss of power. In addition, UPSs for desktops are strongly encouraged.

(iv)           Customer must be utilizing a Windows-based Active Directory domain controller running on a Mainstream or Extended Support version of Microsoft Server, or a cloud service.

(v)            All desktop PCs and notebooks/laptops with Microsoft Windows Operating Systems must be running a Mainstream or Extended Support version and have all of the latest Microsoft Service Packs and critical updates installed.

(vi)           All desktop PCs and notebooks/laptops with Apple operating systems must maintain an operating system version no older than two (2) releases older than the most current release by Apple, Inc.

(vii)          All server and desktop software must be genuine, licensed and vendor-supported.

(viii)         The environment must have a currently licensed, up-to-date, and vendor-supported server-       based antivirus solution protecting all servers, desktops, notebooks/laptops and email.

(ix)           The environment must have a currently licensed, vendor-supported server-based backup solution.

(x)            The environment must have a currently licensed, vendor-supported hardware firewall between the internal network and the Internet.

(xi)           Any wireless data traffic in the environment must be secured with a minimum of WPA 128bit     data encryption (WPA2 recommended and preferred) and private authentication. WEP           encryption is inadequate for protection of Customer’s data and technology environment.

Should any hardware or systems fail to meet these provisions, they may be excluded from this Service Level Agreement and its included services. In addition, the following release will be in effect.

General Liability Release of Claims 

I, Customer, of Sunset Technologies Group, Inc., for and in consideration of the contracted services provided to me the receipt and sufficiency of which is hereby acknowledged, do hereby release and forever discharge Sunset Technologies Group, Inc., their agents, employees, successors and assigns, and their respective heirs, personal representatives, affiliates, successors and assigns, and any and all persons, firms or corporations liable or who might be claimed to be liable, whether or not herein named, from any and all claims, demands, damages, actions, causes of action or suits of any kind or nature whatsoever, whether known or unknown, fixed or contingent, which I now have or may hereafter have or claim to have, as a result of or in any way relating to the following:

Loss of Data 

Loss of Data means that due to an event, the Customer’s data is not retrievable or usable in the normal course of business.

If Customer has not purchased a backup solution offered at any time by Sunset Technologies Group, Inc., this release applies to any and all claims related to loss of data. In addition, this Release applies to loss of data that falls under the “Equipment Malfunction” section below, as well as the HIPAA Breach section outlined below.

Equipment malfunction 

If Customer has not purchased computers, servers or other peripherals from Sunset Technologies Group, Inc. this release applies to any and all claims related to equipment malfunction. In addition, if Sunset Technologies Group, Inc. is providing IT support to equipment that is supported by another entity, this release applies in all situations except Sunset’s negligence.

HIPAA breach 

If customer has not purchased Sunsets’. full set of compliance services including but not limited to; a backup solution, firewall, switch, anti-virus, PCI Compliance, Breach Insurance and other HIPAA/cyber related services this release applies to any breach situation.

 

  1.  NO GUARANTEE.Although Sunset has taken commercially reasonable steps to provide a secure system within limitations existing in network and computer infrastructure, Sunset does not warrant or guarantee that communication over the Services will be secure from monitoring or tampering, nor that information stored on any computer connected to the Services will be secure from monitoring or tampering. Because of this, any sensitive or confidential information (such as credit card numbers or other financial information, medical information or trade secrets) sent by Customer or Customer’s Users is at Customer’s sole risk and Sunset shall have no liability whatsoever for any claims, losses, action, damages, suits or proceedings arising out of or otherwise relating to such actions by Customer or its Users.
  2.  INSURANCE.During the Agreement:
  3.           Sunset shall carry and maintain in full force and effect, at its own expense, professional errors and omissions liability insurance with coverage for the performance or failure to perform any professional services provided by Sunset under this Agreement, and with limits of $1,000,000 per claim and $2,000,000 in the annual aggregate.
  4.           Customer shall carry and maintain in full force and effect network security and privacy liability insurance including but not limited to coverage for privacy and network security liability: 1st and 3rd party liability, wrongful disclosure of data, wrongful disclosure of confidential information, breach of security, including unauthorized access to a computer system or database, extortion and extortion related threats, payments and interruption, downtime, identification theft, web hosting (if applicable), and with a minimum policy limit of $1,000,000 per occurrence or claim and $2,000,000 in the annual aggregate. Customer shall cause Sunset to be named as an additional insured on all the insurance policies required under this Section.
  5.            Customer will maintain a Cyber Insurance policy in force at all times during the term of the Service Order and for a period of two years thereafter for services completed during the term of the Service Order. Customer’s policy will provide for Data Security & Privacy “Cyber” coverage (including coverage for unauthorized access and use, failure of security, breach of confidential information, of privacy perils, as well as breach mitigation costs and regulatory coverage) with a minimum policy limit of $1,000,000 per occurrence or claim and $2,000,000 in the annual aggregate. Customer shall cause Sunset to be named as an additional insured on all the insurance policies required under this Section. If Customer does not have a Cyber Insurance policy in place at the time of execution of this Service Order, Customer warrants that it will obtain a policy within three months of the Service Order effective date.

 

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made effective as of the date outlined on the Approval page, by and between “Customer” (as listed on the Approval Page) and Sunset Technologies (“Sunset”) of 8236 Arthur St NE # 5, Minneapolis, MN 55432. The Covered Entity is referred to below as “CE.” The Business Associate is referred to below as “BA.”

RECITALS

  1. This Agreement is entered into by CE and BA for the purposes of complying with privacy and security regulations issued by the United States Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
  2. CE is a covered entity as such term is defined under HIPAA, and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information (“PHI”) (defined below).
  3. BA provides services to or on behalf of CE pursuant to the scope of a service project whereby BA will assess the technology environment for CE. The project may require CE to disclose individually identifiable health information to BA, some of which may constitute Protected Health Information (“PHI”) (defined below).

    NOW THEREFORE, in consideration of the promises and mutual agreement contained herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties, intending to be legally bound, agree as set forth below.

AGREEMENT

  1. DEFINITIONS

For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below:

1.1     “Breach” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 164.402.

1.2    “Business Associate” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

1.3    “Covered Entity” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

1.4    “Designated Record Set” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 164.501.

1.5    “Disclosure” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

1.6    “Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

1.7    “Individual” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

1.8    “Minimum Necessary” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. §§ 164.502(b) and 164.514(d).

1.9    “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

1.10    “Protected Health Information” or “PHI” shall have the meaning given to such term in 45 C.F.R. §§ 160.103 and 164.501, and is the information created or received by BA from or on behalf of CE.

1.11    “Required By Law” shall have the meaning given to such term in 45 C.F.R. § 164.103.

1.12    “Secretary” shall have the meaning given to such term in 45 C.F.R. § 160.103.

1.13    “Security Incident” shall have the meaning given to such term under the Security Rule, including but not limited to, 45 C.F.R. § 164.304.

1.14    “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

1.15    “Subcontractor” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

1.16    “Unsecured Protected Health Information or PHI” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 164.402.

1.17    “Use” shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

 

  1. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1    Permitted Uses and Disclosures of PHI. BA, its directors, officers, Subcontractors, employees, affiliates, agents, and representatives shall use or disclose PHI only (a) in connection with fulfilling its duties and obligations under this Agreement and the Service Agreement; (b) for the proper management and administration of BA; or (c) to carry out the legal responsibilities of BA.

2.2    Prohibited Uses and Disclosures of PHI. BA shall not use or disclose PHI other than as permitted or Required by Law. BA shall not use or disclose PHI in any manner that violates state or federal laws or would violate such laws if used or disclosed in such manner by CE.

2.3    Third Party Disclosures. BA shall obtain and maintain an agreement with each Subcontractor that has or will have access to PHI which is received from, created, or received by BA on behalf of CE, pursuant to which agreement such Subcontractor agrees to be bound by the same restrictions, terms, and conditions that apply to BA pursuant to this Agreement with respect to such PHI. BA shall also (a) obtain reasonable assurances from the Subcontractor that the PHI will be held in confidence and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and (b) obligate such person to notify BA of any instance in which PHI is used or disclosed that is not provided for in the Service Agreement, including incidents that constitute breaches of unsecured PHI or any security incident of which it becomes aware in which the confidentiality of the PHI has been breached.

2.4    Minimum Necessary. To the extent BA uses or discloses PHI received from, created, or received by BA on behalf of CE, BA will make reasonable efforts to limit PHI to the Minimum Necessary to accomplish the intended purpose of the use, disclosure or request.

2.5    Access of Individuals to PHI.

  1. In the event an Individual or entity requests access to PHI from BA, BA shall forward such request to CE within two (2) business days. CE is responsible for determining what PHI shall be unavailable to the Individual pursuant to 45 C.F.R. § 164.524.
  2. Any denial of access to PHI determined by CE pursuant to 45 C.F.R. § 164.524, and conveyed to BA by CE, shall be the responsibility of CE, including resolution or reporting of all appeals, and/or complaints arising from denials.
  3. BA shall cooperate with CE in a manner that enables CE to meet its obligations under 45 C.F.R § 164.524.

2.6    Amendment of PHI.

    1. In the event that any Individual requests that the BA amend his/her PHI, BA shall forward such request to CE within two (2) business days. The CE is responsible for determining what PHI is unavailable to the Individual pursuant to 45 C.F.R. § 164.526.
    2. Any denial of an amendment to PHI determined by CE pursuant to 45 C.F.R. § 164.526, and conveyed to BA by CE, shall be the responsibility of CE, including resolution or reporting of all appeals and/or complaints arising from denials.
    3. BA shall cooperate with CE in a manner that enables CE to meet its obligations under 45 C.F.R. § 164.526.
    4. Within a mutually agreed upon time from receipt of a request from CE to amend an Individual’s PHI in a Designated Record Set, BA shall incorporate any amendments, statements of disagreement, and/or rebuttals approved by CE into its Designated Record Set, as required by 45 C.F.R. § 164.526.

2.7    Accounting of Disclosures.

  1. In order to allow CE to respond to a request by an Individual for an accounting of disclosures of a Designated Record Set pursuant to 45 C.F.R. § 164.528, BA shall, within a mutually agreed upon timeframe from CE’s written request for an accounting of disclosures of PHI about an Individual, make such information available to CE.
  2. In the event an Individual requests an accounting of disclosures of PHI directly from BA, BA shall forward such request to CE within a mutually agreed upon timeframe.
  3. BA shall cooperate with CE in a manner that enables CE to meet its obligations under 45 C.F.R. § 164.528.

2.8    Subpoena or Legal Request for PHI. BA shall notify CE within a reasonable timeframe upon receipt of any request, subpoena, or other legal process to obtain PHI received from, or created or received by BA on behalf of CE. CE, in conjunction with BA, shall determine whether BA may disclose PHI pursuant to such request, subpoena, or other legal process. BA agrees to comply with CE’s determination in such instances. BA agrees to cooperate fully with CE in any legal challenge initiated by CE in response to such request, subpoena, or other legal process. The provisions of this Section shall survive the termination of this Agreement.

2.9    Reporting Breaches, Improper Disclosures, and Security Incidents.

  1. Breaches. In the event of notification of a Breach of any Unsecured PHI that BA accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of CE, BA shall report such Breach to CE immediately, but in no event more than five (5) days after discovering the breach. BA shall, in consultation with CE, mitigate, to the extent practicable any harmful effect of such Breach that is known to the BA.
  2. Improper Disclosures. BA shall report any unauthorized or improper use or disclosure of PHI regarding the terms and conditions of this Agreement or applicable federal and state laws to CE as soon as practicable, but in no event later than five (5) business days of the date on which BA becomes aware of such unauthorized or improper use or disclosure. BA shall, in consultation with CE, mitigate to the extent practicable any harmful effect of such improper disclosures.
  3. Security Incidents. BA shall report to CE any Security Incident of which it becomes aware within a reasonable timeframe.

2.10    Safeguards.

  1. BA shall employ appropriate administrative, technical, and physical safeguards, consistent with the size and complexity of BA’s operations, to protect the confidentiality and security of PHI that it creates, receives, maintains, or transmits on behalf of CE and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement.
  2. BA shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of CE. Such safeguards shall include implementing written policies and procedures in compliance with HIPAA and the HITECH Act, conducting a security risk assessment, and training BA employees who will have access to PHI on BA’s policies and procedures as required by HIPAA and the HITECH Act.

2.11    Availability of Books and Records to CE. Within a mutually agreed upon timeframe of a written request by CE (tied to its own external audit), BA and its agents or Subcontractors shall provide to CE, BA’s internal practices, books, and records at reasonable times as they pertain to the use and disclosure of PHI received from, or created or received by BA on behalf of CE in order to ensure that CE and BA are in compliance with the requirements of this Agreement, and to the extent that CE determines such examination is necessary to comply with CE’s obligations pursuant to HIPAA. The availability of books and records from BA to CE is subject to the following conditions:

  1. BA and CE shall mutually agree in advance upon the reasonability, scope, timing, and location of such a review.
  2. CE shall protect the confidentiality of all confidential and proprietary information of BA to which CE has access during the course of inspection.
  3. CE shall execute a nondisclosure agreement, under terms mutually agreed upon by the parties, if requested by BA.

2.12    Governmental Access to Records. If requested, BA shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining BA’s compliance with the Privacy Rule and the Security Rule. BA shall notify CE within ten (10) calendar days of learning that BA has become the subject of an audit, compliance review, or complaint investigation by the Secretary. BA shall provide to CE a copy of such request for information and a copy of any PHI that BA provides to the Secretary concurrently with providing such PHI to the Secretary.

2.13    Data Ownership of PHI. BA acknowledges that, as between BA and CE, BA has no ownership rights with respect to PHI received from, created for, or used on behalf of CE.

 

  1. OBLIGATIONS OF COVERED ENTITY

3.1    Obligations. CE warrants that CE, its directors, officers, subcontractors, employees, affiliated agents, and representatives: (a) shall comply with the Privacy Rule in its use or disclosure of PHI; (b) shall not use or disclose PHI in any manner that violates applicable federal and state laws; (c) shall not request BA to use or disclose PHI in any manner that violates applicable federal and state laws if such use or disclosure were done by CE; and (d) may request BA to disclose PHI directly to another party only for the purposes allowed by the Privacy Rule.

3.2    Breach. CE shall provide notice to BA of any pattern of activity or practice of BA that CE believes constitutes a material breach or violation of the BA’s obligation under the Service Agreement or this Agreement within five (5) calendar days of discovery and shall meet with BA to discuss and attempt to resolve the problem as one of the reasonable steps to cure the breach or end the violation.

3.3    Permissible Requests by CE. CE shall not request BA to use or disclose PHI in any manner that would not be permissible under HIPAA if done by CE, except as permitted pursuant to Section 2

3.4    Notice of Privacy Practices. Upon request from BA, CE will provide BA with a copy of its Notice of Privacy Practices.

 

  1. TERM AND TERMINATION

         4.1    Term. This Agreement shall commence on the Commencement Date and shall continue, unless earlier terminated pursuant to the terms and conditions herein, until the expiration of the Service Agreement (the “Term”).

4.2 Material Breach. A breach by BA of any provision of this Agreement, as determined by CE, shall constitute a material breach of this Agreement and shall provide grounds for immediate termination of the Service Agreement, any provision of the Service Agreement to the contrary notwithstanding.

  1. Where CE has knowledge of a material breach by BA, and a cure is possible, CE shall provide BA with an opportunity to cure. Where said breach is not cured within a reasonable timeframe of BA’s receipt of notice from CE of said breach, CE shall terminate the Service Agreement.
  2. In the event that BA or CE has knowledge of a material breach of this Agreement by the other, and a cure is not possible, the non-breaching party shall terminate the portion of the Service Agreement that is affected by the breach. When neither cure nor termination is feasible, the non-breaching party shall report the violation to the Secretary.

4.3    Effect of Termination. Upon termination of the Service Agreement for any reason, BA shall return or destroy all PHI that BA or its agents or Subcontractors still maintain in any form and shall retain no copies of such PHI. BA shall certify in writing to CE that the PHI has been destroyed. If return or destruction is not feasible, as determined by CE, BA shall continue to extend the protections of Section 2 of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI impractical. All destruction shall be in accordance with HIPAA, the HITECH Act, and applicable state law.

 

  1. INSURANCE AND INDEMNIFICATION

         5.1    Insurance. No later than one (1) month from Commencement Date of this Agreement BA shall obtain, or ensure that its existing liability insurance covers, and shall maintain during the term of this Agreement liability insurance covering claims based on a violation of the Privacy Rule or any applicable law or regulation concerning the privacy of patient information and claims based on obligations pursuant to this Agreement in an amount not less than $1,000,000 per claim.

5.2    Indemnification. BA hereby agrees to indemnify and hold CE and its employees and agents harmless from and against any and all loss, liability, or damages, including reasonable attorneys’ fees, arising out of or in any manner occasioned by a breach of any provision of this Agreement by BA, its employees, agents, or Subcontractors. CE provides the same indemnification to BA.

 

  1. MISCELLANEOUS

6.1    Amendment. The parties agree to take such action to amend this Agreement from time to time as is necessary to comply with the requirements of HIPAA.

6.2    Certification. To the extent that CE determines that such an examination of BA’s security practices is necessary to comply with CE’s legal obligations pursuant to HIPAA, CE or its authorized agents or contractors, may examine BA’s facilities, systems, procedures and records as may be necessary for such agents or contractors to certify to CE the extent to which BA’s security safeguards comply with HIPAA, the HITECH Act, or this Agreement.

6.3    Assistance in Litigation or Administrative Proceedings. BA shall make itself, and any Subcontractors, employees or agents assisting BA in the performance of its obligations under the Service Agreement or Agreement, available to CE, at an agreed upon cost, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon a claimed violation of HIPAA, the HITECH Act, or other laws relating to security and privacy, except where BA or its Subcontractor, employee or agent is a named adverse party.

6.4    No Third-Party Beneficiaries. Except as expressly provided for in the Privacy Rule, there are no third-party beneficiaries to this Agreement. BA’s obligations under this Agreement are owed to CE only.

6.5    Effect on Service Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Service Agreement shall remain in force and effect.

6.6    Interpretation. The provisions of this Agreement shall prevail over any provisions in the Service Agreement that may conflict with or are inconsistent with any provision in this Agreement. This Agreement and the Service Agreement shall be interpreted to implement and comply with HIPAA and the HITECH Act. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HITECH Act.

6.7    Non-solicitation. CE shall not without the written consent of BA, solicit employ or offer employment to any BA employee (or any employee of an authorized representative of BA performing services on behalf of BA) during the term of this Contract or within one (1) year following the termination of his or her employment with BA.

6.8    Conflicting Terms. In the event any terms of this Agreement conflict with any terms of the Service Agreement, the terms of this Agreement shall govern and control.

6.9    Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware.