Business Associate Agreement

RECITALS

  1. YOU have retained PokitDok, Inc. by virtue of using this platform to provide certain services (the “Services”).
  2. The Services may require PokitDok (as a Covered Entity under HIPAA) to disclose to YOU private and/or protected health and/or medical information as defined under, and Individually Identifiable Health Information and/or Electronic Protected Health Information (“PHI”) as defined in the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and/or regulations promulgated under such laws (state law, HIPAA, and HITECH are hereafter referred to collectively as “Privacy Laws”) and may require PokitDok to receive, access, review, maintain, retain, modify, record, store, forward, produce, hold, use, create, disclose, and/or destroy such information.
  3. PokitDok’s performance of the Services may give rise to certain legal obligations under Privacy Laws and YOU may be considered a “business associate” and PokitDok may also be a “business associate” (providing services to upstream Covered Entities depending on YOUR entity classification) as those terms are defined in 45 C.F.R. § 160.103. This Agreement shall not apply to relationships between the parties where PokitDok is not at least considered a “business associate” as defined in 45 C.F.R. 160.103.

Accordingly, YOU agree to the terms and conditions set forth below:

TERMS OF AGREEMENT

  1. Compliance With Law.
    YOU shall comply with applicable Privacy Laws, and shall agree to any changes to this Agreement as necessary for PokitDok to comply with changes or updates to applicable Privacy Laws as they may modified and/or supplemented from time to time.
  2. Interpretation.
    Any ambiguity herein must be resolved in favor of a meaning that permits PokitDok to comply with applicable Privacy Laws.
  3. Privileges and Protections.
    This Agreement does not constitute or evidence a waiver of, nor does it amend, the attorney-client privilege, the attorney work-product doctrine, and/or any other applicable privileges or protections.
  4. Your Obligations.
      4.1
      Handling of the PHI and Safeguards. YOU shall prevent access to, use and/or disclosure of PHI other than as permitted or required by this Agreement and/or applicable Privacy Laws, and shall implement and use, at all times, appropriate administrative, physical and technical safeguards to (i) prevent access, use, or disclosure of PHI other than as permitted by this Agreement and/or Privacy Laws; and (ii) reasonably and appropriately protect the confidentiality, integrity, security, and availability of PHI.

      4.2
      Minimum Necessary Use and Disclosure. YOU will determine the amount of PHI necessary for performance of the Services and shall make reasonable efforts to limit the receipt, use, and disclosure of PHI to the minimum necessary.

  5. Data Aggregation Use and De-identification.

    Notwithstanding anything in this Agreement to the contrary, PokitDok has the right to use in any manner and for any purpose, without restriction (subject to applicable law), any data gathered, collected, used, or otherwise received or transmitted hereunder, for any purpose; provided that in the case such data is PHI, it is de-identified prior to use. YOU shall provide all assistance as may be required to secure and effectuate such rights for PokitDok.

    This Section 5 shall survive any termination or expiration of this Agreement.

      5.1
      Management and Administration.

      PokitDok may also use and disclose PHI for management and administrative purposes. In doing so, PokitDok will comply with all applicable Privacy Laws and with Covered Entity’s obligations under subpart E of 45 CFR Part 164.
      Disclosures to Subcontractors and/or Third Parties.

      YOU shall ensure that all representatives, subcontractors, persons and/or entities (other than entities that are merely conduits) to whom YOU discloses or provides the PHI execute a written Business Associate Agreement, as required under the Privacy Laws, in which such third persons and/or entities expressly agree to the same restrictions and conditions that apply to YOU hereunder, as applicable. If a Business Associate Agreement is not required by the Privacy Laws, YOU shall obtain reasonable assurances from all persons and entities who have access to or are recipients of the PHI that: (i) the PHI shall be held confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party; and (ii) the third party shall promptly notify PokitDok of any Compromise of PHI, and PokitDok shall, in turn, notify Covered Entity as and if applicable.

      5.3
      Access to, or Amendment of, PHI.

      To the extent that YOU maintains any PHI in a Designated Record Set, YOU agree:
      (a) to provide PokitDok access to the PHI in a Designated Record Set to authorized individuals as required by Privacy Laws and in the time, manner, and format designated by such individuals to the extent required by Privacy Laws; and

      (b) to make any amendment(s) to PHI in a Designated Record Set as requested by PokitDok and pursuant to 45 C.F.R. § 164.526.

      To the extent YOU receive requests directly from patients to access or amend PHI, YOU will promptly forward such request to PokitDok and notify the patient that the PokitDok shall respond to the request.

      Restrictions on PHI. To the extent that YOU access and disclose PHI in a Designated Record Set, YOU comply with any patient restrictions on the Use and Disclosure of PHI requested under Section 6.3 below.

      5.4
      Reporting of Violations and Security Incidents. YOU will report to PokitDok within seven (7) business days of actual knowledge any impermissible use or disclosure under Privacy Laws that Compromises the security or privacy of the PHI. YOU shall notify PokitDok of all such incidents, even if YOU determine there is a low probability that the PHI has been compromised based on its risk assessment. YOU shall include in the report the following information if known or can be reasonably obtained:
      Contact information for individuals who may be impacted; The date of the incident and a brief description of the circumstances;
      A description of the type of information involved; and What PokitDok is doing to investigate and mitigate harm to individuals.
      In addition, YOU will report, within seven (7) business days to PokitDok by telephone, any successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that does not Compromise the security or privacy of the PHI (“Security Incidents”). YOU will identify and respond internally to suspected or known Security Incidents, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide such documentation to PokitDok upon request. Notice is hereby deemed provided, and no further notice shall be given, with respect to routine unsuccessful attempts at unauthorized access to PHI such as pings and other broadcast attacks on firewalls, denial of service attacks, failed login attempts, and port scans.

      The parties shall meet and confer in good faith before notifying affected individuals, government agencies, and/or commencing any legal action regarding any suspected Security Incident and/or breach of this Agreement unless otherwise required by law, and shall comply with applicable Privacy Laws regarding the need for and nature of any notification of individuals or reporting to government agencies.

      5.5
      Mitigation and Notification. PokitDok will, following the discovery of a Security Incident, conduct a prompt and reasonable risk assessment and mitigation to the extent practicable. If mitigation for any Securty Incident hereunder requires credit monitoring or other similar credit protection services PokitDok shall bear the costs related to notifying the affected individuals. Such costs, if appropriate and reasonable under the circumstances, may include the actual cost of notification, setting up and managing a toll free number, and credit monitoring.not pay more than One Hundred Thousand Dollars ($100,000) toward such services in the aggregate. PokitDok shall not be responsible for notifying individuals of a Secutiry Incident, and shall not be responsible for any notification costs unless notification is required by applicable law.

      5.6
      In the event of a Breach of Unsecured PHI by Business Associate, PokitDok shall be entitled to enjoin and restrain Business Associate from any continued violation of this Agreement

      5.7
      Accounting of PHI Disclosures. To the extent applicable, PokitDok will document and report to Covered Entity all disclosures of PHI that are required for Covered Entity to provide an accounting under 45 C.F.R. § 164.528 and/or the Privacy Laws. If an individual contacts PokitDok directly for such an accounting, PokitDok will direct the individual to contact Covered Entity.

      5.8
      Audits and Inspections. PokitDok will make its relevant records that are not protected by applicable legal privilege or work product protection relating to the use, disclosure, and/or compromise of PHI available to the Secretary of the United States, Department of Health and Human Services and/or other authorized lawful authority as required by applicable law or authorized by Covered Entity in writing.

  6. Covered Entity’s Obligations

      6.1
      Notice of Privacy Practices. Covered Entity is responsible for using the services of PokitDok in accordance with its Notice of Privacy Practices (“NPP”). Covered Entity shall provide a copy of its NPP to PokitDok upon request.
      6.2
      Restrictions and Revocations. YOU shall promptly notify PokitDok in writing of any patient-requested restrictions, changes to, or revocation of, consent and/or authorization to use and/or disclose PHI that may affect PokitDok’s ability to perform its obligations under this Agreement.
      6.3
      Compliant Requests. Neither party shall not request or cause the other to make a Use or Disclosure of PHI in a manner that does not comply with Privacy Laws.
      6.4
      Authorizations. Each party shall obtain all consents and authorizations necessary and/or required by law for each party to fulfill their obligations under this Agreement.
      6.5
      Accounting of PHI Disclosures. Each party shall include in individual accountings requested under the Privacy Laws, including without limitation, 45 C.F.R. § 164.528, for any PHI disclosures, to the extent such disclosures are made.
      6.6
      Meet and Confer. Upon any suspected or actual unauthorized disclosure of PHI, Covered Entity shall meet and confer in good faith with PokitDok before notifying affected individuals, government agencies, and/or commencing any legal action, unless otherwise required by law.

  7. Term and Termination.

      7.1
      Term. The term of this Agreement shall commence upon receipt by PokitDok of any PHI or the date set forth below, whichever is earlier, and shall terminate upon discharge of PokitDok’s obligations under the Services Agreement and this Agreement, including the obligations set forth in Section 7.2 below, and/or performance of the Services.
      7.2
      Effects of Termination. If Covered Entity terminates Services or Services are terminated pursuant to Section 7, Covered Entity is solely responsible for ensuring that termination and the effects thereof shall not cause Covered Entity or PokitDok to violate applicable law.
      7.3
      Breach. Except as otherwise set forth in Section 7.1, if either party hereto breaches its obligations under this Agreement, the non-breaching party shall provide the other with notice and a thirty (30) day period to cure the breach. If the breaching party fails to cure the breach or cure is not possible within thirty (30) days, the non-breaching party may terminate this Agreement immediately upon written notice and without further legal action or declaration.

  8. Miscellaneous.

      8.1
      Entire Agreement. This Agreement constitutes the entire agreement between the Parties and supersede all prior negotiations, discussions, representations, or proposals, whether oral or written, unless expressly incorporated herein, related to the subject matter of this Agreement. Unless otherwise expressly provided herein, this Agreement may not be modified unless in writing signed by the duly authorized representatives of the parties.
      8.2
      Severability. If any provision of this Agreement or part thereof is found to be invalid, the remaining provisions shall remain in full force and effect.
      8.3
      Waiver. If any provision of this Agreement or part thereof is found to be invalid, the remaining provisions shall remain in full force and effect.
      8.4
      Indemnification. YOU shall indemnify and hold harmless PokitDok (the “Indemnifier” or “Indemnified” as appropriate) from and against all fines, losses, liabilities, expenses, damages or injuries that the Indemnified sustains as a result of or otherwise arising out of a claim that: (a) the Indemnifier has violated an applicable law or regulation (including but not limited to Privacy Laws) in connection with this Agreement; or (b) arising out of a breach of this Agreement by the Indemnifier or its agents or subcontractors.
      8.5
      No Third-Party Beneficiaries. Except as otherwise provided in the Privacy Laws or this Agreement, there are no third-party beneficiaries to this Agreement.
      8.6
      Successors and Assigns. This Agreement shall inure to the benefit of, and be binding upon, the successors and assigns of the parties. However, this Agreement is not assignable by YOU without the prior written consent of PokitDok.
      8.7
      Dispute Resolution. If at any time during or after the term of this Agreement either party believes that a dispute exists between them, the parties agree that they shall promptly meet and confer in good faith to attempt to resolve such dispute before resorting to arbitration or court action. The parties further agree that if they are unable to informally resolve any dispute within thirty (30) days, then the dispute shall be submitted for resolution exclusively through confidential, binding arbitration, instead of through trial by court or jury, in accordance with the commercial, expedited dispute rules, then in effect, of either the Judicial Arbitration and Mediation Service (“JAMS”) or the American Health Lawyers Association Alternative Dispute Resolution Service (“AHLA”). This Agreement to arbitrate shall be specifically enforceable. The parties agree that the prevailing party in any dispute related to this Agreement shall be entitled to collect all of its costs, expenses, and reasonable attorney’s fees from the other party. The parties further agree that the laws of the State of California, without reference to its conflict of laws principles, govern this Agreement.
      8.8
      No Warranties. NEITHER PARTY MAKES ANY WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTY OF MARKETABILITY OR COMMERCIAL VIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE.
      8.9
      Limitation of Liability. EXCEPT FOR LIABILITY ARISING FROM GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, CONSEQUENTIAL, EXEMPLARY OR INCIDENTAL DAMAGES (INCLUDING LOST OR ANTICIPATED REVENUES OR PROFITS RELATING TO THE SAME, LOSS OR USE, OR COST OF PROCUREMENT OF SUBSTITUTE PRODUCTS, SERVICES, OR TECHNOLOGY), ARISING FROM ANY CLAIM RELATING TO THIS AGREEMENT OR THE SUBJECT MATTER HEREOF, WHETHER SUCH CLAIM IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF AN AUTHORIZED REPRESENTATIVE OF SUCH PARTY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER FOR ANY CLAIMS, LOSSES, INJURIES, SUITS, DEMANDS, JUDGMENTS, LIABILITIES, COSTS, EXPENSES OR DAMAGES FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF ACTION OR LEGAL THEORY, INCLUSIVE OF INDEMNIFICATION OBLIGATIONS HEREUNDER, EXCEED ONE HUNDRED THOUSAND DOLLARS ($100,000 USD).
      8.10
      Counterparts. This Agreement may be executed in counterparts, by manual, electronic, or facsimile signature, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

IN WITNESS WHEREOF by using the PokitDok services YOU agree to all of the terms and conditions set forth herein.