Last updated: April 8, 2024

Practice Services Agreement Additional Terms and Conditions

These terms and conditions set forth below shall be incorporated into the Practice Services Agreement Cover Sheet between SiteRx, Inc. and its Affiliates (collectively “SiteRx”) and Practice (the “Cover Sheet,” and together, the “Agreement”). Capitalized terms not defined here shall have the meanings assigned to them on the Cover Sheet. The Agreement is effective as of the Effective Date on the Cover Sheet.

1.    Definitions.

  1. “Accounts” means all accounts created by or on behalf of Practice, including accounts created by or for any Administrator or Authorized User, to access or use the Platform.

  2. “Administrator(s)” means the person(s) designated by Practice to (i) communicate with SiteRx regarding the performance of Services; and (ii) create and manage Accounts.

  3. “Affiliate(s)” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party. For the purposes of this definition, “control” means direct or indirect ownership or control of more than fifty percent of the voting interests of the subject entity.

  4. “Authorized User” means any individual who is authorized by Practice to, and whom Practice has designated to SiteRx in writing as permitted to, access and use any Services, and to whom Practice or SiteRx has supplied login credentials to access the applicable Services. Authorized Users may include officers, directors, employees, contractors, and other authorized users who will have access to the Platform as determined by Practice.

  5. “Chart Review Services” means (i) reviewing analytics provided by SiteRx on the Platform, which consists of excerpts of patients’ medical records and applicable information about treatment alternatives, including eligibility criteria related to Clinical Trials, in order to assess whether the Eligible Patients may be suitable matches for a treatment alternative; and (ii) meeting with SiteRx representatives to review Eligible Patients identified through analytics and Practice’s medical records review.

  6. “Clinical Trial” means a clinical trial identified as a treatment alternative on the Platform.

  7. “Clinical Site” means any entity that administers Contact, Screening and Enrollment of Eligible Patients for Clinical Trials.

  8. “Confidential Information” means all nonpublic data and other information of a Party that is of a confidential or proprietary nature including, without limitation: (i) a Party’s operational and business proposals and plans, pricing, financial information, methods, processes, code, data, inventions, statistics, programs, research, technology, network designs; and passwords and sign-on codes; (ii) the terms of this Agreement; and (iii) Practice Data. Confidential Information does not include information that is: (a) generally known or available to the public; (b) received by the receiving Party from a third party with no obligation of confidentiality to the disclosing Party; (c) already in the receiving Party’s possession prior to the date of receipt from the disclosing Party; or (d) independently developed by the receiving Party; provided in each case that such forgoing information was not delivered to or obtained by the receiving Party as a result of any breach of this Agreement.

  9. “Contact” means the date an Eligible Patient was first contacted by the Clinical Site.

  10. “Deidentified Data” shall mean Protected Health Information (as defined by HIPAA) that has been de-identified in accordance with 45 C.F.R. § 164.514 and any other identifiable information not otherwise governed by HIPAA that has been de-identified, pseudonymized or anonymized in accordance with applicable laws or regulations.

  11. “Documentation” means any manuals or specifications concerning the use of the Platform that SiteRx furnishes or makes available to Practice, its Administrators or its Authorized Users and that SiteRx makes available to its customers generally.

  12. “Eligible Patients” means patients, matched by Practice, who may be eligible for participating in a Clinical Trial based on their diagnosis and/or condition, and the applicable Trial Protocol.

  13. “Enrolled Patients” means Eligible Patients that enroll in a Clinical Trial.

  14. “Enrollment” means the date an Eligible Patient is enrolled in a Clinical Trial after the Screening and being determined to be eligible for the Clinical Trial by a Clinical Site in accordance with the applicable Trial Protocol.

  15. “Feedback” means any comments, suggestions, and recommendations provided by Practice to SiteRx in the course of this Agreement regarding the Services (including, without limitation, comments, suggestions and recommendations with respect to modifications, enhancements, improvements and other changes to the Platform).

  16. “HIPAA” means collectively, the Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, as amended and in effect.

  17. “Intellectual Property” means all concepts, inventions (whether or not protected under patent laws), works of authorship, information fixed in any tangible medium of expression (whether or not protected under copyright laws), moral rights, mask works, trademarks, trade names, trade dress, trade secrets, publicity rights, names, likenesses, know-how, ideas (whether or not protected under trade secret laws) and all other subject matter protected under patent (or which is not patented, but is subject matter that is protected under patent law), copyright, mask work, trademark, trade secret, or other laws, whether existing now or in the future, whether statutory or common law, in any jurisdiction in the world, for all media now known or later developed, including all new or useful art, combinations, discoveries, formulae, algorithms, specifications, manufacturing techniques, technical developments, systems, computer architecture, artwork, software, programming, applets, scripts, designs, processes and methods of doing business.

  18. “Platform” means the software as a service solution provided by SiteRx under this Agreement which uses algorithms and data analytics to identify potential matches of patients with treatment alternatives, and all derivative works, improvements, or modifications thereof, including but not limited to clinical research opportunities, diagnostic testing, and other prospective and in-market treatments and other care-related interventions, for review and consideration by the Practice.

  19. “Practice Data” means information made available by Practice to SiteRx for the purposes of this Agreement prior to being Processed by SiteRx and generated by Practice through the performance of the Practice Services.

  20. “Practice Services” means the services Practice provides to SiteRx upon request related to: (i) Chart Review Services; (ii) if appropriate in a physician’s professional judgment, informing Eligible Patients of the opportunity to pursue a treatment alternative, including to participate in a Clinical Trial, and obtaining from the Eligible Patients an authorization in accordance with HIPAA; (iii) Validation Services; and (iv) other non-clinical ancillary services requested by SiteRx and accepted by the Practice pursuant to a separate addendum incorporated by reference herein.

  21. “Pre-Qualification Services” means certain diagnostic tests and/or related services including, but not limited to, cognitive testing, genetic testing, and clinical fitness and suitability reviews, performed by SiteRx or its vendors, on behalf of Practice, to determine an Eligible Patient’s suitability and potential eligibility for a Clinical Trial prior to determining an Eligible Patient’s interest in participating in a Clinical Trial. For the avoidance of doubt, Pre-Qualification Services do not constitute either clinical recommendations, or screening or other research activities.

  22. “Process” or “Processing” means to use, modify, adapt, enhance, reproduce, aggregate, create derivative works and/or other improvements (including, without limitation, to create pseudonymized data, anonymized data, De-Identified Data, and Limited Data Sets), import, export, perform, display, execute, transmit, process and distribute any Practice Data or improvements based thereon, and copies of any of the foregoing.

  23. “Rematching Services” means, pursuant to the approval provided by a physician under this Agreement to identify potential matches of Eligible Patients with Clinical Trials, SiteRx’s services to re-match such Eligible Patient to another Clinical Trial (if available) and notify such physician of the rematched Clinical Trial through the Platform if an Eligible Patient declines, is not suitable or eligible, or otherwise fails to complete Screening for the Clinical Trial(s) approved by a physician.

  24. “Screening” means the date that the Eligible Patient is screened by the Clinical Site as measured by the date that the Eligible Patient signs an informed consent form as provided by such Clinical Site and in accordance with the applicable Trial Protocol.

  25. “Services” means, collectively, the Platform and SiteRx’s services described in more detail in this Agreement, including, without limitation, the following: to facilitate Practice’s consideration of alternate treatment options for its patients, including but not limited to clinical research opportunities, diagnostic testing, and other prospective and in-market treatments and other care-related interventions through the Platform; provisioning Platform access to Administrators or Authorized Users as necessary; creating, training, re-training or fine-tuning SiteRx’s artificial intelligence models and related algorithms based on the Trial Protocol(s), Statistical Information, De-identified Data and/or PPI information as necessary in SiteRx’s sole discretion; deploying the algorithms against patient medical record information to identify Eligible Patients; the Pre-Qualification Services; the Rematching Services; Support Services (defined herein); maintaining, modifying, improving and augmenting the Platform functionality and algorithms; and any other services delegated by the Practice to SiteRx and accepted by SiteRx, pursuant to a business associate agreement between the Parties, or otherwise described in this Agreement. Services delegated to SiteRx may include, without limitation, informing Eligible Patients of the opportunity to participate in a Clinical Trial if appropriate in a physician’s independent professional judgment, obtaining from the Eligible Patients an authorization in accordance with HIPAA authorizing the Practice to submit the Eligible Patients’ information through the Platform to SiteRx and the Clinical Sites, and obtaining treatment-related information and progress updates from the Clinical Sites as requested or authorized by the Practice pursuant to SiteRx’s role as a business associate conducting care coordination and healthcare operations activities.

  26. “Sponsor” means an entity that sponsors Clinical Trials and provides the Trial Protocols.

  27. “Support Services” means the implementation, configuration, training, and other assistance that may be provided by SiteRx to Practice for (i) Practice to access and use the Platform; and (ii) SiteRx to access, use, and transmit the Practice Data.

  28. “Trial Protocol” means the protocol for a Clinical Trial describing Eligible Patient, Screening and Enrollment criterion and processes, specifying the data or information that must be collected from Eligible Patients.

  29. “Validation Services” means ongoing reporting by Practice of data collected regarding an Eligible Patient, but for the avoidance of doubt, not as a part of the Clinical Trial, and not in response to any request or requirement of the Clinical Site.

2.    Access to and Use of Platform.

  1. License Grant. Subject to the terms and conditions of this Agreement, SiteRx hereby grants to Practice a limited, non-exclusive, non-transferable (except as specified herein) license to: (i) access and use, and permit Administrators and Authorized Users to access and use, the Platform during the Term (as defined herein) for the purposes contemplated in this Agreement; and (ii) access and use the Documentation as necessary to enable Administrators and Authorized Users to access and use the Platform for purposes consistent with this Agreement.

  2. Restrictions on Use. Practice will use commercially reasonable efforts to ensure that its Administrators and Authorized Users do not: (i) use the Platform in any manner or for any purpose other than as expressly permitted by this Agreement or any Documentation; (ii) use the Platform in violation of any local, state, or federal law or regulation; (iii) sell, lend, rent, resell, lease, sublicense or otherwise transfer any of the rights granted to Practice herein to any third party; (iv) modify, alter, tamper with, repair or otherwise create derivative works of any software included in or used to provide the Platform; (v) reverse engineer, disassemble or decompile the Platform or any software contained therein, or attempt to discover or recreate the source code to the Platform; (vi) remove, obscure or alter any proprietary rights notices related to the Platform; (vii) access or use the Platform in a way intended to avoid incurring fees or exceeding usage limits or quotas; or (viii) use the Platform to (a) send unauthorized commercial communications or messages; (b) store or transmit any file or Practice Data containing: (1) unlawful, defamatory, threatening, pornographic, abusive, libelous or otherwise objectionable material of any kind or nature, (2) any material that encourages conduct that could constitute a criminal offense, (3) any code or material that violates any law or regulation, or (4) any code or material that violates the Intellectual Property rights or rights to the publicity or privacy of others; (c) transmit any Practice Data or materials that contain software viruses or other harmful or deleterious computer code, files or programs such as Trojan horses, worms, time bombs or cancelbots; (d) interfere with or disrupt servers or networks that provide or support the Platform or other SiteRx customers’ access to or use of the same; (e) access or attempt to access SiteRx’s other accounts, computer systems or networks not covered by this Agreement, through password mining or any other means; (f) cause, as determined in SiteRx’s sole discretion, an inordinate burden on SiteRx’s system resources or capacity; or (g) build a competitive solution or service, build a product or service using similar ideas, features, functions or graphics of the Services, or copy any ideas, features, functions or graphics of the Services, or determine whether the Services are within the scope of any patent.

  3. Suspension. SiteRx reserves the right to temporarily suspend or disable Practice’s or an Administrator’s or Authorized User’s access to or use of the Platform in the following circumstances: (i) if SiteRx reasonably believes that any use of the Platform represents a direct or indirect threat to the Platform, or SiteRx’s systems or network function or integrity; (ii) if reasonably necessary to prevent unauthorized access to or harm to Practice Data or data of other SiteRx customers; (iii) if SiteRx reasonably believes that Practice’s use of the Platform is in violation of any local, state or federal law or regulation; or (iv) to the extent reasonably necessary to comply with SiteRx’s legal obligations. Any suspension pursuant to this section will only be in effect for as long as reasonably necessary to address the issues giving rise to the suspension. SiteRx will provide advance notice before suspending access to the Platform, unless SiteRx reasonably believes an immediate suspension is required.

  4. Updates. Notwithstanding anything to the contrary in this Agreement, SiteRx reserves the right, in its sole discretion, to modify the functionality or features or release a new version of the Platform from time to time.

3.    SiteRx Obligations.

  1. Services. SiteRx shall use reasonable efforts to provide the Services as described in this Agreement, and to pay Compensation for Practice Services performed by Practice. All payments hereunder are intended to reflect the fair market value to compensate Practice for performance of the Practice Services solely for the benefit of SiteRx, and no payment is being exchanged hereunder (i) at the request, direction, or instruction of, or as a pass-through payment from, any Sponsor or other party that may constitute an “applicable manufacturer” as such term is defined by 42 U.S.C. §1320a-7h et seq. and 42 C.F.R. §403.900 et seq., or (ii) as part of any sale of Protected Health Information as such term is defined by HIPAA (as defined in the Additional Terms, as defined below) or in exchange for the use and disclosure of Protected Health Information for “marketing” purposes as defined in HIPAA.

  2. Practice Services. SiteRx may, itself or through a subcontractor, use reasonable efforts to perform Data Integration, Processing, Services, and other mutually agreed upon activities necessary to enable Practice to perform the Practice Services.

  3. Maintenance and Support. SiteRx shall use reasonable efforts to provide maintenance and Support Services, on an “as-needed” and “as-requested” basis.

4.    Practice Obligations; Instructions.

  1. Practice Data Integration. Practice shall use reasonable efforts to transmit to SiteRx and otherwise enable the integration, extraction, and/or export by SiteRx, by itself or through a subcontractor, of all mutually agreed upon Practice Data from the Practice’s electronic medical records system into SiteRx’s Platform (“Data Integration”) that SiteRx deems necessary to (i) provide the Services; and (ii) enable Practice to perform the Practice Services.

  2. Accounts. Practice will appoint one or more Administrators who will have sole responsibility for the assignment and management of Authorized Users’ Accounts. As between Practice and SiteRx, Practice will be solely responsible for providing the login and password information that will permit Administrators and Authorized Users to access and use the Platform (“Account Credentials”). Practice will protect Account Credentials from unauthorized use or disclosure. Practice will ensure that Administrators and Authorized Users do not share their Account Credentials with any other person and do not permit any other person to access and use the Platform through their Accounts. Practice will ensure that each Administrator and Authorized User accessing or using the Platform complies with this Agreement, the Statement(s) of Work and any Documentation. Practice is fully responsible for any authorized or unauthorized use of the Platform via Account Credentials.

  3. Rematching Services. SiteRx shall provide Rematching Services on behalf of Practice to support Practice in carrying out Practice Services unless Practice instructs SiteRx otherwise in writing.

  4. Pre-Qualification Services. The Pre-Qualification Services are performed on behalf of, and at the request of, Practice, and Practice acknowledges that it is hereby instructing SiteRx to procure such Pre-Qualification Services and such other additional medical or other testing or services as the applicable physician of the Practice, in consultation with SiteRx, may consider appropriate for determining their patient’s suitability and/or potential eligibility for treatment alternatives, including clinical research, or as may otherwise be required for consideration for recruitment in a Clinical Trial.

  5. Compliance with Laws. Practice shall perform the Practice Services in conformance with all applicable laws, standards, rulings, policies, regulations, and ethical rules and guidelines. Practice will comply with and cause its employees and contractors (including physicians), as well as Administrators and Authorized Users, to comply with, all laws, rules, regulations and ethical rules and guidelines applicable to Practice’s and its employees’, contractors’, Administrators’, and Authorized Users’ access and use of the Platform.

  6. Cooperate. Practice shall cooperate with SiteRx, in order to transmit Practice Data to SiteRx including, without limitation, by providing to SiteRx such information and reasonable access (including information regarding and access to Practice’s electronic medical records system) as is requested by SiteRx.

  7. Practice Services. Practice shall provide the Practice Services described above for the applicable Clinical Trials as requested by SiteRx in accordance with applicable law, industry best practices, and the terms of this Agreement. Practice acknowledges and agrees that nothing contained in this Agreement shall be construed to require or induce Practice or physicians to enroll patients in any Clinical Trial, or to generate business for SiteRx, a Sponsor, a Clinical Site, or any of their respective affiliates. Further, nothing contained in this Agreement shall be construed to interfere with Practice or its clinicians’ independent professional judgment in rendering clinical decisions for Eligible Patients or Enrolled Patients.

  8. No Data Backup. The Services are not, and do not include, backup services and do not replace the need for Practice to maintain regular data, information and records backups and archives. SiteRx has no obligation or liability for any loss, alteration, destruction, damage, corruption, or recovery activities related to failure or Practice to back up its data, information or records.

  9. Notification of Unauthorized Use. Practice will immediately notify SiteRx in writing of any actual or reasonably suspected unauthorized use of any Account, Account Credentials, Practice Data or the Platform by an Authorized User or third party that comes to Practice’s attention. In the event of any such unauthorized use, Practice will take all steps necessary to terminate such unauthorized use in cooperation with SiteRx’s Information Security personnel and will provide SiteRx with such cooperation and assistance related to any such unauthorized use as SiteRx may reasonably request.

  10. Training. Practice shall participate in any training made available to the Practice by SiteRx.

  11. Phone Emulation. Practice agrees that, to facilitate SiteRx’s contact with Eligible Patients as necessary for SiteRx’s performance hereunder, SiteRx may emulate Practice’s phone number. To facilitate such phone calls, Practice shall provide SiteRx with a phone number which Practice uses to contact Eligible Patients for similar calls. SiteRx shall make such phone calls using live persons only, unless otherwise authorized by the applicable Eligible Patient in which case Practice consents to SiteRx’s use of Practice’s phone number in accordance with the foregoing. Practice may opt out of this phone number emulation at any time by providing written notice to SiteRx, upon receipt of which SiteRx shall promptly cease emulating Practice’s phone number.

  12. Electronic Communications. Practice consents to receive electronic communications from SiteRx concerning or related to the Services, including phone calls, e-mails, and text messages to phone numbers and e-mail addresses provided by Practice or its personnel to SiteRx, as well as messages or prompts via the Platform. Practice acknowledges and agrees that communications between SiteRx and Practice may be monitored or recorded by SiteRx for purposes of (i) facilitating SiteRx’s performance of the Services for Practice, (ii) internal assessment and verification of the quality of the Services, (iii) training of SiteRx personnel, and (iv) SiteRx’s compliance with applicable law; provided that each of the foregoing purposes shall be subject to applicable law.

5.    Termination.

  1. Term. This Agreement shall commence on the Effective Date and remain in effect unless terminated pursuant to the provisions below (the “Term”).

  2. Termination. Either Party may terminate this Agreement upon breach by the other Party of any material provision of this Agreement, provided that the breaching Party is provided with written notice of the breach and such breach is not cured within the thirty (30) days after the breaching Party’s receipt of notice. SiteRx may terminate this Agreement immediately following written notice to Practice upon the occurrence of any of the following events: (i) conduct by Practice or any physician which, in the sole discretion of SiteRx, could affect the reputation of SiteRx; and (ii) cessation of the Clinical Trial or termination by a Clinical Site of SiteRx’s services. Either Party may terminate this Agreement without cause upon one hundred eighty (180) days’ written notice to the other, and the Practice must continue to provide Practice Services to all Eligible Patients who have, as of the termination notice date, executed a HIPAA authorization to disclose their health records to Clinical Site(s).

  3. Effect of Termination. Upon the expiration or termination of this Agreement, Practice and each Administrator’s and Authorized User’s right to access and use the Services will terminate; and each Party will promptly return to the other Party or, at such other Party’s request, destroy, any Confidential Information of the other Party, including all copies and portions thereof; provided, however, that a Party may retain Confidential Information that is (i) contained in an archived computer system back-up in accordance with security and/or disaster recovery procedures, or contained in latent data, until the ordinary course deletion thereof; or (ii) retained for legal, regulatory compliance, archival or record retention purposes, and the Parties’ obligations hereunder as to such Confidential Information and all oral Confidential Information shall survive the expiration or termination of this Agreement. The expiration or termination of this Agreement shall not relieve either Party of any obligation pursuant to this Agreement which arose on or before the date of expiration or termination, and those sections of this Agreement which by their terms extend beyond termination or expiration of this Agreement shall survive, except that in the event that Practice terminates this Agreement without cause, or SiteRx terminates it with cause.

  4. Survival. Any termination or expiration of this Agreement (a) shall be without prejudice to any right which shall have accrued to either Party prior to such expiration or termination, and (b) shall not affect any provision of this Agreement which, by its terms, is to be performed after any expiration or termination of this Agreement. Without limiting the generality of the foregoing, the sections titled “Compensation and Payment Terms,” “Term and Termination,” “Sole Similar Relationship,” “Confidential and Proprietary Information,” “Confidentiality and Proprietary Information,” “Warranties,” “Indemnification,” “Disclaimer; Limitation of Liability,” and “Miscellaneous” will survive any termination or expiration of this Agreement.

6.    Sole Similar Relationship.

Nothing in this Agreement or in this Section shall be interpreted as precluding the Practice from performing its health care functions and offering clinical research opportunities to its patients without relying on the Platform or any similar products or services, or from matching patients to clinical research opportunities that are not made available through the Platform. The Practice agrees that during the term of this Agreement and for six (6) months after its termination for any reason, SiteRx shall be the exclusive corporate recipient of services similar to the Practice Services, as provided by Practice; and the Practice shall not, directly or indirectly hire, engage, contract, or enter into an arrangement with a third party where the Practice is the recipient of services that are similar to the Services. 

7.    Confidentiality and Proprietary Information.

  1. Practice Data. Subject to the terms of this Agreement, the Business Associate Addendum, and applicable laws and regulations, Practice hereby grants to SiteRx, its Affiliates, and applicable subcontractors a perpetual, irrevocable, worldwide, non-exclusive, assignable, no-charge, royalty-free right and license to use the Practice Data (i) to perform the Services and (ii) to exercise SiteRx’s rights or perform SiteRx’s obligations under this Agreement. As between SiteRx and Practice, Practice is and shall continue at all times to be the sole and exclusive owner of all Practice Data and all Intellectual Property rights in or with respect to any or all of the Practice Data.

  2. SiteRx Intellectual Property. Practice acknowledges and agrees that the Platform, any Feedback, and all derivative works, improvements, or modifications of the Practice Data created hereunder are the Intellectual Property of, and owned solely and exclusively by, SiteRx (“SiteRx Intellectual Property”). To the extent Practice has any right, title or interest in or to any SiteRx Intellectual Property, Practice hereby irrevocably assigns all rights, title, and interests in and to such SiteRx Intellectual Property to SiteRx.

  3. Statistical Data. Notwithstanding anything herein to the contrary, SiteRx may compile de-identified statistical information related to the use and performance of the Services (“Statistical Information,” and together with the Deidentified Data, “Statistical Data”). Such Statistical Data will not be considered confidential information, will be SiteRx’s property, and may be used by SiteRx for any purpose.

  4. Physician Privacy. SiteRx may collect physician personal information (“PPI”) in connection with Practice’s use of the Services and performance of Practice Services in accordance with the Privacy Policy accessible via the Platform, which governs how SiteRx collects, processes, discloses and maintains PPI. Practice represents that it has complied with all applicable data privacy laws concerning its collection and disclosure of PPI to SiteRx. With respect to the PPI that it receives from Practice or Authorized Users, SiteRx represents that it has and will independently comply with all obligations imposed by applicable data privacy laws upon controllers, that it will not consider itself to be a joint controller with Practice, and that it will not rely upon Practice to perform any of SiteRx’s obligations as a controller.

  5. Confidentiality. A Party receiving Confidential Information of the other Party will (i) use such Confidential Information solely for the purposes for which it is provided, and (ii) otherwise protect such Confidential Information from unauthorized use and disclosure to the same extent that it protects its own Confidential Information of a similar nature; provided, however, that a Party may disclose the other Party’s Confidential Information to its employees, authorized subcontractors, agents, consultants and auditors who have a reasonable need to know such information, so long as such employees, subcontractors, agents, consultants and auditors are bound by confidentiality obligations to such Party no less restrictive than those applicable to such Party in this section. The foregoing will not apply to any use or disclosure that is (iii) required by applicable law, legal process or governmental authority, provided that the receiving Party uses reasonable efforts to notify the disclosing Party in advance of the required disclosure so as to provide the disclosing Party an opportunity to seek, at its own expense, an appropriate protective order or other remedy to contest or limit such disclosure (subject to any limitations on the receiving Party’s ability to notify the disclosing Party of such required disclosure imposed by applicable law, legal process or governmental authority); or (iv) made with the specific prior written consent of the disclosing Party.

8.    HIPAA Obligations.

By agreeing to these Additional Terms, the Parties agree to the Business Associate Addendum attached hereto as Exhibit A, the terms of which are incorporated herein by reference as if recited herein. Practice shall obtain an authorization meeting the requirements of 45 C.F.R. § 164.508, as may be amended from time to time, and any applicable state laws to permit the disclosure of protected health information (as defined HIPAA) to SiteRx, SiteRx’s subsequent disclosure of such protected health information to Clinical Sites, and use of such protected health information by Clinical Sites for clinical trial eligibility and screening purposes.

9.    Reporting.

Practice acknowledges that SiteRx has certain informational disclosure and reporting obligations under applicable federal and state laws, on behalf of itself or to third parties. Therefore, upon reasonable request by SiteRx, Practice agrees to promptly provide all information reasonably necessary for SiteRx to comply with such reporting obligations, and Practice represents and warrants that any such information shall be accurate and complete. Practice acknowledges that SiteRx will rely on information provided by Practice in meeting its reporting obligations and therefore, Practice agrees to indemnify SiteRx from any claims and expenses arising out of or related to any failure by Practice to comply with any of the foregoing provisions.

10.    Setoff.

Notwithstanding anything to the contrary herein, in the event that it is discovered that the Practice Services rendered were non-compliant with applicable law, industry best practices, or the terms of this Agreement, SiteRx shall have the right to set off any payment, either in whole or in part, against any other payment it is otherwise required to make under this Agreement, without obligation or liability to Practice.

11.    Insurance.

Practice shall maintain for such length of time as necessary to cover any and all claims arising out of or relating to the Services performed under this Agreement, professional liability insurance in the following minimum coverage amounts: $250,000 per occurrence and $750,000 in the aggregate covering each physician providing the Services. Upon SiteRx’s request, Practice shall furnish a copy of the certificate of insurance evidencing such coverage.

12.    Audit Rights.

SiteRx on behalf of itself, and the Clinical Sites and Sponsors with which it contracts, shall have the right, during regular business hours and with reasonable notice, to perform monitoring and/or auditing activities on-site and/or off-site with respect to Practice’s performance hereunder, the proper use of the Platform and the quality of Practice Services, and/or to confirm the Practice is in compliance with this Agreement. 

13.    Warranties.

  1. Mutual Warranties. Each Party represents and warrants to the other Party that (i) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such Party in accordance with its terms; (ii) no authorization or approval from any third party is required in connection with such Party’s execution, delivery or performance of this Agreement; and (iii) the execution, delivery and performance of this Agreement does not violate the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound.

  2. Practice Warranties. Practice represents and warrants the following, and shall notify SiteRx in writing within two (2) days of any such representation and warranty becoming untrue: (i) it shall perform the Practice Services in a professional and workmanlike manner, and in accordance with applicable law, industry best practices, and the terms and conditions of this Agreement; (ii) that any physician associated with the Practice is, and shall remain throughout the Term, properly licensed and qualified to perform all actions hereunder, including but not limited to, providing the Practice Services, and that no such physician’s professional license in any jurisdiction has ever been denied, suspended, revoked, terminated, voluntarily relinquished under threat of disciplinary action or restricted in any way; (iii) that no physicians and other Practice employees are: (a) currently excluded, debarred or otherwise ineligible to participate in one or more of the federal healthcare programs or excluded from participation in any federal or state procurement or non-procurement programs; (b) convicted of a criminal offense related to the provision of healthcare items or services but have not yet been excluded, debarred or otherwise declared ineligible to participate in one or more of the federal healthcare programs; or (c) under investigation or otherwise aware of any circumstances which may result in any physician or any other Practice employee being excluded from participation in one or more of the federal healthcare programs; (iv) Practice or its licensors own all right, title and interest in and to the Practice Data; (v) Practice has the necessary rights in the Practice Data to provide the Practice Data to SiteRx and grant the rights to SiteRx contemplated by this Agreement; (vi) use of the Practice Data or the Platform by Practice will not violate any law, rule or regulation, including HIPAA, or otherwise violate the rights of any third party; (vii) to Practice’s knowledge, Practice represents and warrants that any phone number provided by Practice pursuant to section 4K shall be complete, accurate and up-to-date; (viii) Practice has or will obtain all consents, and made or will provide notice to applicable Eligible Patients, as required by law to facilitate SiteRx’s performance under section 4K; and (ix) any and all Practice Data or information provided by Practice was or shall be collected and transferred to SiteRx, Clinical Site, or Sponsor in accordance with all applicable privacy and data protection laws, and that Practice has or will obtain all consents, and made or will provide notice to the data subjects, as required by law. Any breach of subsections (ii) and (iii) shall give SiteRx the right to immediately terminate this Agreement.

14.    Indemnification. 

  1. SiteRx shall defend Practice from and against any and all loss, damage or expense, including reasonable attorneys’ fees (“Losses”), that Practice may sustain or incur as a result of any third-party claim, suit or proceeding (“Third Party Claims”), arising out of or in connection with a third-party allegation that Practice’s use or access to the Platform infringes upon any domestic or foreign third-party copyright or trade secret rights. In the event of any such claim for indemnification, as Practice’s sole indemnification remedy, SiteRx may (a) modify the Platform to remove the actual or alleged infringement or violation, (b) suspend or terminate access to the Platform, or (c) procure a license to the rights alleged to be infringed.

  2. Practice shall defend, indemnify and hold SiteRx harmless from and against any and all Losses that SiteRx may sustain or incur as a result of any Third Party Claims arising out of or in connection with: (i) any use of or access to the Services by Practice; (ii) the negligent, grossly negligent, or wrongful performance by Practice of the Practice Services; (iii) any actual or alleged negligent, intentional or willful act or omission, or criminal conduct, of Practice, or any of its employees (including physicians), agents or subcontractors; (iv) any actual or alleged violation by Practice, or any of its employees, agents or subcontractors, of any applicable law, statute, ordinance or regulation; (v) any failure by Practice to obtain necessary consents, authorizations, approvals or releases relating to the Practice Services, or any infringement or alleged infringement upon any patent right, copyright, trade secret right, or other proprietary right of any third-party; or (vi) any failure by Practice to perform any obligation under this Agreement. For the avoidance of doubt, breaches of applicable law or the material terms of this Agreement shall constitute intentional actions for the purposes of this Section. 

15.    DISCLAIMER; LIMITATION OF LIABILITY.

  1. DISCLAIMER. EXCEPT AS EXPRESSLY OTHERWISE PROVIDED HEREIN, THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, OR TO THE EXTENT ANY STATUTORY RIGHTS APPLY THAT CANNOT BE EXCLUDED, LIMITED OR WAIVE, SITERX (i) MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICES, THE PRACTICE DATA, THE TRIAL PROTOCOLS OR OTHER INFORMATION PROVIDED ON THE PLATFORM; AND (ii) DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED OR EXPRESS WARRANTIES (a) OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSES, NON-INFRINGEMENT, OR QUIET ENJOYMENT, (b) ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE, (c) THAT THE SERVICE, PRACTICE DATA, TRIAL PROTOCOLS OR OTHER INFORMATION PROVIDED ON THE PLATFORM WILL BE UNINTERRUPTED, ERROR FREE, COMPLETE, OR FREE OF HARMFUL COMPONENTS, (d) THAT ANY PRACTICE DATA, TRIAL PROTOCOLS OR OTHER INFORMATION ON THE PLATFORM WILL BE COMPLETE, SECURE OR NOT OTHERWISE LOST OR ALTERED, AND (e) THAT ANY CLINICAL RESEARCH TRIALS PROVIDED TO THE PRACTICE FOR REVIEW IS A COMPLETE LIST OF ALL POSSIBLE OR ALL AVAILABLE OPTIONS, OR THAT THE LIST OF OPTIONS WILL NOT BE SUBJECT TO ADDITIONS, DELETIONS AND ALTERATIONS OVER TIME.

  2. DISCLAIMER. PRACTICE ACKNOWLEDGES AND AGREES THAT, AS BETWEEN PRACTICE AND SITERX, PRACTICE’S AND ITS PHYSICIANS’ DUTY TO ITS PATIENTS IN PROVIDING HEALTHCARE SERVICES LIES SOLELY WITH PRACTICE AND ITS PHYSICIANS, AND ANY INFORMATION PROVIDED BY OR OBTAINED THROUGH THE SERVICES ARE NOT A SUBSTITUTE FOR PRACTICE’S INDEPENDENT CLINICAL JUDGMENT IN PROVIDING PATIENT CARE. SITERX DISCLAIMS ALL LIABILITY FOR ANY CLINICAL DECISIONS MADE USING INFORMATION OR RESULTS PROVIDED BY OR OBTAINED THROUGH THE SERVICES.

  3. LIMITATION OF LIABILITY; EXCLUSION OF CONSEQUENTIAL AND RELATED DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE (WHETHER BASED IN CONTRACT, TORT, WARRANTY OR OTHERWISE, INCLUDING FOR NEGLIGENCE, WHETHER ACTIVE, PASSIVE OR IMPUTED) TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR IN RELATION TO THIS AGREEMENT (INCLUDING DAMAGES FOR LOSS OF PROFIT, GOODWILL, AND USE OR LOSS OF DATA), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

  4. LIMITATION ON LIABILITY; LIABILITY CAP. THE ENTIRE LIABILITY OF EITHER PARTY TO THE OTHER PARTY ARISING OUT OF OR IN RELATION TO THIS AGREEMENT FOR ANY LOSS OR DAMAGE, REGARDLESS OF THE FORM OF ACTION, SHALL BE LIMITED TO ACTUAL DIRECT DAMAGES THAT ARE REASONABLY INCURRED, AND IN NO EVENT SHALL SITERX’S ENTIRE LIABILITY EXCEED THE AMOUNTS ACTUALLY PAID TO PRACTICE UNDER THIS AGREEMENT DURING THE SIX (6) MONTHS PRECEDING THE FIRST CLAIM ARISING UNDER THIS AGREEMENT.

  5. EXCEPTIONS. THE LIABILITY LIMITATIONS IN THIS SECTION WILL NOT APPLY TO VIOLATIONS OF A PARTY’S INTELLECTUAL PROPERTY RIGHTS, OR INDEMNIFICATION OBLIGATIONS HEREUNDER.

16.    Miscellaneous.

  1. Independent Contractors. Practice and its participating physicians shall act at all times as independent contractors and not as employees, agents, partners or joint venturers of SiteRx. The Parties agree that SiteRx shall not have and shall not exercise any control or direction over the manner or method by which Practice or its physicians provide Services.

  2. Publicity. Practice shall permit SiteRx to use or reference in any advertising, sales promotion, press release or other communication the name of the Practice, the fact that the Practice is performing Services under this Agreement and/or contributing data to the Platform, and any testimonials provided by physicians of the Practice regarding the Services. SiteRx shall use commercially reasonable efforts to provide advance notice of such publication.

  3. Entire Agreement; Modification. This Agreement contains the entire understanding of the Parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written, and all other communications between the Parties relating to such subject matter. This Agreement may not be amended or modified by Practice except by mutual written agreement. This Agreement may be amended or modified by SiteRx at any time by posting the revised Agreement on the Platform and/or otherwise making Practice aware of the changes. Practice’s continued use of or access to the Platform after the posting of an updated Agreement (or other method of legal acceptance) constitutes acceptance of the updated Agreement.

  4. Dispute Resolution. All claims, controversies or disputes arising hereunder shall be submitted to arbitration. Such arbitration shall take place in New York, New York, United States of America and shall proceed in accordance with the laws of such jurisdiction and the Commercial Arbitration Rules of the American Arbitration Association. A record and transcript of the proceedings shall be maintained. Any award shall be made in writing and in reasonable detail, setting forth the findings of fact and conclusion of law supporting the award. The determination of a majority of the panel of arbitrators shall be the decision of the arbitrators, which shall be binding regardless of whether one of the parties fails or refuses to participate in the arbitration. The decision shall be enforceable by a court of law, provided that the decision is supported by substantial fact and is without material error of law. All costs of such arbitration, except expert fees and attorneys’ fees, shall be shared equally by the Parties. Notwithstanding the foregoing, arbitration shall not be required to the extent that (i) a statute of limitations is reasonably likely to expire during the pendency of the arbitration; or (ii) for a matter seeking injunctive or equitable relief or seeking contribution or indemnification.

  5. Governing Law; Venue. This Agreement shall be interpreted, construed and enforced pursuant to and in accordance with the laws of the State of New York without giving effect to its conflict of laws provisions; and, except as expressly otherwise provided herein, federal and state courts of New York shall be the sole and exclusive venue for any litigation or other proceeding between the Parties concerning this Agreement.

  6. Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be an original, but all of which together shall constitute one and the same instrument. The Parties agree to accept and be bound by facsimile or PDF transmitted copies of this Agreement and its counterparts, including facsimile or PDF signatures of the Parties.

  7. Notices. Any notice, demand or communication required, permitted or desired to be given hereunder shall be deemed given when delivered either (i) personally, (ii) by overnight mail, (iii) by prepaid certified mail, return receipt requested, or (iv) in the case of notice from SiteRx to Practice, by email or by SiteRx communication via the Platform, addressed as follows:

    If to SiteRx
    :
    SiteRx, Inc.
    101 6th Avenue, 10th Floor
    New York, NY 10013
    Attn: Practice Success
    E-mail: practicesuccess@siterx.com, with a copy to legal@siterx.com 

    If to Practice, then to the address or email address listed at the end of the Practice’s signature block in the Cover Sheet, or via general user communication or communication sent specifically to Practice on the Platform.

    Notice shall be deemed given three (3) days after mailing if notice is given via mail or immediately upon receipt if notice is given via email or Platform communications.

  8. Waiver. A waiver by either Party of a breach or failure to perform hereunder shall not constitute a waiver of any subsequent breach or failure.

  9. Assignment; Binding Effect. Practice shall not assign or transfer, in whole or in part, this Agreement or any of Practice’s rights, duties or obligations under this Agreement without the prior written consent of SiteRx, and any assignment or transfer by Practice without such consent shall be null and void. This Agreement is assignable by SiteRx without consent or notice. This Agreement shall inure to the benefit of and is binding upon the Parties and their respective heirs, representatives, successors and permitted assigns.

  10. Change in Law. In the event that any provision of this Agreement becomes impermissible or unlawful as a result of any law; any rule, ruling or regulation enacted or promulgated by any federal, state or other governmental administrative body; or any court or governmental administrative agency decision (“Change in Law”), based on the advice of legal counsel, SiteRx may determine that such provision, as well as any other provisions, of this Agreement must be modified for this Agreement to remain permissible or otherwise in compliance with law.

  11. Partial Invalidity. If any term or provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal or unenforceable, such invalidity, illegality or unenforceability shall not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction.

  12. Headings; Construction. The sections and other headings contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement. Each Party acknowledges that it has had an opportunity to negotiate any and all of the provisions of this Agreement and no rule of construction shall be used that would interpret any provision in favor of or against a Party on the basis of which Party drafted the provision. In the event of any conflict between the Agreement or other agreement referencing and incorporated into this Agreement, the other agreement shall control to the extent of the conflict.

  13. Additional Assurances. The provisions of this Agreement shall be self-operative and shall not require further agreement by the Parties except as may be herein specifically provided to the contrary; provided, however, at the request of SiteRx, Practice shall execute such additional instruments and take such additional acts as are reasonably necessary to effectuate this Agreement.

Business Associate Addendum

This BUSINESS ASSOCIATE ADDENDUM (this “BAA”) is entered into as of the Effective Date by and between the Practice (for purposes of this BAA, the “Covered Entity”) and SiteRx (for purposes of this BAA, the “Business Associate”).

RECITALS

WHEREAS, the Business Associate performs healthcare operations services (for purposes of this BAA, the “Services”) on behalf of Covered Entity pursuant to the Agreement.

WHEREAS, the Agreement involves the Use and/or Disclosure of Protected Health Information (defined below); and

WHEREAS, the parties desire to enter into this BAA in order to comply with HIPAA.

NOW, THEREFORE, the parties do hereby agree as follows:

1. Definitions. Capitalized terms not otherwise defined in this BAA shall have the same meaning as those terms in the Agreement or in the Privacy Rule and the Security Rule (defined below).

    1. Breach” when capitalized, shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in this Agreement, the word shall have its ordinary contract meaning.

    2. Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Business Associate creates, accesses or receives on behalf of Covered Entity.

    3. Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D, and E, as currently in effect.

    4. Protected Health Information” or “PHI” shall have the meaning set forth in the Privacy Rule, limited to information that Business Associate creates, accesses or receives on behalf of Covered Entity. PHI includes EPHI.

    5. Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subpart C.

    6. Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

2. Business Associate Obligations.

    1. Uses and Disclosures. Business Associate shall not Use or further Disclose PHI other than as permitted or required by this BAA, to perform Services or as Required By Law, provided that:

      1. Such Use or Disclosure would not violate HIPAA if done by Covered Entity; and

      2. Such Use or Disclosure shall be limited to the minimum necessary to accomplish the permissible purpose(s) of the Use or Disclosure.

    2. Uses and Disclosures Permitted By Law. As permitted by the Privacy Rule, Business Associate may:

      1. Use PHI: as is necessary for the proper management and administration of Business Associate’s organization; to provide data aggregation services; and to carry out the legal responsibilities of Business Associate.

      2. Disclose PHI if the disclosure is Required By Law; or is subject to reasonable assurances obtained by Business Associate from the third party to whom the PHI is disclosed that PHI will be held confidentially, securely, and Used or Disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and any breaches of confidentiality of PHI which become known to such third party will be promptly reported to Business Associate.

    3. Privacy Rule. To the extent Business Associate carries out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligation(s).

    4. Safeguards. Business Associate shall use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than the Uses and Disclosures permitted or required by this BAA. Business Associate shall comply with the Security Rule with respect to EPHI, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI.

    5. Reporting. Business Associate shall report to Covered Entity any Use or Disclosure of PHI not permitted or required by this Agreement and any Security Incident of which it becomes aware in accordance with HIPAA. The parties agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted Unsuccessful Security Incidents. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

    6. Agents and Subcontractors. Business Associate shall ensure that any and all Subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing prior to the Subcontractors’ receipt of such PHI, to the same terms and conditions of this BAA with respect to PHI. Each subcontract agreement must contain the same restrictions and conditions applying to Business Associate with respect to PHI, including without limitation the provisions of this BAA.

    7. Patient Rights.

      1. Access and Amendment. Business Associate does not expect to maintain a Designated Records Set under the Services. However, to the extent that Business Associate maintains a Designated Record Set, Business Associate shall:

        1. Notify Covered Entity as promptly as reasonably practicable upon receipt of a request from an Individual for access to or a copy of such Individual’s PHI or to amend such Individual’s PHI;

        2. Make PHI available to Covered Entity, as reasonably requested by Covered Entity and in accordance with 45 C.F.R. § 164.524 to enable Covered Entity to respond to the Individual’s request for access; and

        3. Upon receipt of notice from Covered Entity, promptly amend any portion of the PHI so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526.

      2. Patient Right to Request Accounting. Business Associate shall maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s its obligations under 45 C.F.R. § 164.528. If any Individual requests an accounting from Business Associate, Business Associate shall notify Covered Entity of the details of such request to enable Covered Entity to respond to any such Individual in compliance with its obligations under 45 C.F.R. § 164.528. Business Associate agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.

    8. Audit. To the extent required by law and subject to attorney-client and other applicable legal privileges, Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from or created or received by Business Associate on behalf of Covered Entity available to the Secretary of Health and Human Services, upon request, solely for purposes of determining and facilitating Covered Entity’s compliance with HIPAA.

    9. De-identified Data. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(b).

    10. Mitigation. Business Associate shall mitigate promptly, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this BAA, the Privacy Rule, the Security Rule, or other applicable federal or state law.

    11. Breach. If Business Associate has knowledge or a reasonable belief a Breach of Unsecured Protected Health Information has occurred, Business Associate shall notify the Covered Entity as required by 45 C.F.R. § 164.410. Such notification shall include, to the extent possible, the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, Used or Disclosed during the Breach, along with any other information that the Covered Entity will be required to include in its notification to the Individual, the media and/or the Secretary and a description of the Business Associate’s investigation, mitigation, and prevention efforts.

3. Covered Entity Obligations.

    1. Notice of Privacy Practices. Covered Entity shall notify Business Associate of limitation(s) in its notice of privacy practices to the extent such limitation affects Business Associate’s permitted Uses or Disclosures.

    2. Individual Permission. Covered Entity shall notify Business Associate of changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent such changes affect Business Associate’s permitted Uses or Disclosures.

    3. Restrictions. Covered Entity shall notify Business Associate of restriction(s) in the Use or Disclosure of PHI that Covered Entity has agreed to, to the extent such restriction affects Business Associate’s permitted Uses or Disclosures. Covered Entity will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Business Associate or one of its Subcontractors to violate this BAA or any applicable law.

    4. Authorizations. Covered Entity shall obtain any authorization or consents as may be Required by Law for any of the uses or disclosures of PHI necessary for Business Associate to provide the Services.

    5. Compliance with Laws. Covered Entity will not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with HIPAA or this BAA.

4. Term & Termination.

    1. Term. The Term of this BAA shall begin on the Effective Date and shall continue until all PHI provided by Covered Entity to Business Associate is destroyed or returned to Covered Entity. If it is infeasible to return or destroy all PHI, this BAA shall continue for so long as PHI is maintained by Business Associate, which maintenance shall be in accordance with Section 4.c) herein.

    2. Termination.

      1. By Covered Entity. Upon determination by Covered Entity, in its reasonable discretion, of a material breach by Business Associate of this BAA, Covered Entity may terminate this BAA upon thirty (30) days’ notice; provided however, Covered Entity shall not terminate if Business Associate takes reasonable steps to mitigate harm resulting from the breach and otherwise agrees to comply with the terms of this BAA on a forward-looking basis within such thirty (30) day notice period.

      2. By Business Associate. Upon determination by Business Associate, in its reasonable discretion, of a material breach by Covered Entity of this Agreement, Business Associate may terminate this BAA upon thirty (30) days’ notice; provided however, Business Associate shall not terminate if Covered Entity takes reasonable steps to mitigate harm resulting from the breach and otherwise agrees to comply with the terms of this BAA on a forward-looking basis within such thirty (30) day notice period.

    3. Obligations of Business Associate Upon Termination. At termination of this BAA or the Agreement, to the extent feasible, Business Associate shall return or destroy all PHI Business Associate maintains in any form and shall retain no copies of PHI, except for PHI that has been De-identified such that it no longer protected under HIPAA. Notwithstanding anything herein to the contrary, if Business Associate determines, in its reasonable discretion, the return or destruction of such PHI is not feasible, Business Associate shall extend the protections of this BAA to the remaining information and limit further Uses and Disclosures of PHI to those purposes that make the return or destruction of PHI infeasible.

    4. Survival. The terms of this Section shall survive the termination or expiration of this BAA.

5. Required Disclosure. If Business Associate is confronted with legal action to disclose any PHI, Business Associate shall, to the extent permitted, promptly notify Covered Entity of such action. Thereafter, upon request by Covered Entity, Business Associate shall use reasonable efforts to assist Covered Entity in obtaining a protective order or other similar order and shall disclose only the minimum amount of PHI that is required to be disclosed in order to comply with the legal action, whether or not a protective order or other order has been obtained.

6. Compliance with Laws. Business Associate shall comply with all applicable federal, state and local laws, rules and regulations. To the extent that Covered Entity’s operations constitute a “Part 2 Program” as defined in the federal alcohol and drug rehabilitation regulations at 42 C.F.R. Part 2 (“Part 2”), and PHI provided to Business Associate contains “records” as defined in 42 C.F.R. § 2.11 (“Substance Use Disorder Records”), Business Associate acknowledges that, with respect to Substance Use Disorder Records and in receiving, storing, processing, or otherwise dealing with Substance Use Disorder Records, Business Associate is fully obligated and bound to comply with Part 2. Business Associate (i) shall use, disclose, and release Substance Use Disorder Records in accordance with Part 2, and (ii) if necessary, will resist in judicial proceedings any efforts to obtain access to Substance Use Disorder Records and patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by Part 2. With respect to the Part 2 Program, Business Associate also will be a qualified service organization as defined under Part 2.

7. Conflict. Except as specifically required to implement the purposes of this BAA, and except to the extent inconsistent with this BAA, all terms of the Agreement shall remain in full force and effect. In the event of a conflict between the terms of the Agreement and this BAA, this BAA shall control. This BAA supersedes any and all other agreements between the parties related to this subject matter.

8. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

9. Amendment. The parties shall amend this BAA from time to time by mutual written agreement in order to keep this BAA consistent with any changes made to the HIPAA laws or regulations in effect as of the Effective Date and with any new regulations promulgated under HIPAA. Covered Entity may terminate this BAA in whole or in part if the parties are unable to agree to such changes by the compliance date for such new or revised HIPAA laws or regulations.