Terms of Use

Your use of all CorVista Health, Inc. (“CorVista” or “us,” “we,” or “our”) websites, including without limitation staging.analytics4life.com and the CorVista® System Portal (“Portal”), (each a “Website” and collectively the “Websites”), is subject to the following terms and conditions (this “Agreement” or “Terms of Use”). By using the Websites you acknowledge that you have read this Agreement in its entirety, and that this Agreement constitutes a binding and enforceable obligation among you, CorVista Health, Inc. and its parent company, Analytics For Life Inc. (collectively for purposes of these Terms of Use, “CorVista”, “we”, “us”, or “our”). Should you disagree with any of the terms and conditions of this Agreement, your sole recourse is to discontinue use of the Websites. Please read this Agreement carefully.

 

PLEASE READ THESE TERMS OF USE CAREFULLY AND UNDERSTAND THEM BEFORE YOU PROCEED because the terms and conditions form a binding agreement (“Agreement” or “Terms of Use”) between you and us when you use the Website(s). That is, if you access or use the Websites, or any of them, it will mean you read, understand, and expressly agree to the terms in these Terms of Use and that you will use the Website(s) and services accessible through the Website(s) in accordance with all of the terms and conditions herein and all other applicable agreements, information, services, materials and other content provided by or through the Website(s) and/or us directly. If you are using the Website(s) on behalf of a hospital, company, or other legal entity, person, or persons, you are representing that you are authorized to act on their behalf, and you individually bound by this Agreement even if one or more of them has a separate agreement with us. You may not use services on the Website(s) and/or that we provide if you do not agree to all terms and conditions, including the arbitration and indemnity provisions, unless otherwise stated on any consent or permitted by law. Therefore, if any term below is unacceptable to you, please do not use the Website(s).

 

When you accept these Terms of Use, we grant you a limited, personal, non-exclusive, nontransferable, fully revocable license to access and to use the Website(s) as permitted under these Terms of Use and any Other Agreements. You have no other rights to the Website(s) or any materials available therein (the “Materials”), and as further described below, you may not modify, edit, copy, reproduce, create derivative works of, reverse engineer, alter, enhance or in any way exploit any of the Materials in any manner or services we provide in our Website(s), including those provided via our Portal (collectively, “Services”).

 

If you breach any of these Terms of Use, the above license will terminate automatically. If we have reasonable grounds to suspect that you violated any provision or aspect of these Terms of Use, we may deny or terminate your access to the Website(s) (or any portion thereof).

Without limiting any other statement or term herein, you also represent, acknowledge, and/or agree that the following applies each time you access or use the Website(s):

 

  1. NO WARRANTIES. WE EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, ARISING FROM THE WEBSITE(S), AND SPECIFICALLY DISCLAIM THAT ACCESS TO THE WEBSITE(S) WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE. YOU ASSUME FULL RESPONSIBILITY FOR THE CONNECTION TO THE WEBSITE YOU USE.

 

  1. PORTAL REGISTRATION AND ACCOUNT INFORMATION. If you are an authorized health care practitioner accessing the Portal, you must register for and be granted an account with us or be an authorized user of a hospital or corporate account. Each account holder is required to have a unique username and password. You agree to: (a) keep the account holder’s or your password secure and confidential; (b) not permit unauthorized persons to use the account; (c) refrain from using other users’ accounts; (d) refrain from selling, trading, or otherwise transferring your account to another party; (e) refrain from charging anyone for access to the Portal; (f) acknowledge that you are responsible for any act or omission of any users that access the Portal under your account or using your password that, if undertaken by you, would be a violation of these Terms of Use.

 

  1. INFORMATION WE COLLECT ABOUT YOU. We may collect information from you in connection with your use of the Website(s), including information about your affiliation with a hospital, medical group, or other entity, and/or your relationship with a particular patient to whom we may be providing services. You promise that all information you provide to us is true, accurate, current and complete, and you agree to maintain and promptly update such information to keep it true, accurate, current and complete. By providing information to us, you represent and warrant that you are authorized or entitled to submit the information, that you are doing so voluntarily and not in violation of any contractual restrictions or third-party rights.

    COMPLIANCE WITH LAW. You agree to comply with all applicable local, state, national, and international laws in connection with your use of the Websites, and such further limitations as may be set forth in any written or on-screen notice from us, and specifically that you will not (a) stalk, harass, or harm another individual or user; (b) access, collect, or store personal data about other users, patients, or persons unless lawfully authorized to do so; (c) impersonate any person or entity, or otherwise misrepresent your affiliation with a person or entity; (d) interfere with or disrupt the servers or networks connected to the Website(s) or disobey any requirements, procedures, policies or regulations of networks connected to them; (e) attempt to gain unauthorized access to any portion of the Website(s) or any other accounts, whether through hacking, password mining, or any other means; and/or (f) impersonate any person or entity or otherwise misrepresent your affiliation with a person or entity.

 

  1. NO INTERFERENCE WITH SECURITY. By using the Website(s), you further agree not to violate or attempt to violate the security of any of the Websites, including, by way of illustration but not limitation, actions such as accessing data not intended for you or logging into a server or account that you are not authorized to access; attempting to probe, scan, or test the vulnerability of a system or network or to breach security or authentication measures without proper authorization; attempting to interfere with service to any user, host, or network, including, without limitation, by way of submitting a virus to or overloading, “flooding,” “spamming,” “mailbombing,” or “crashing” any of the Websites; sending unsolicited email, including promotions and/or advertising of products or services; and forging any TCP/IP packet header or any part of the header information in any email or posting.

 

  1. OTHER AGREEMENTS. You acknowledge that these Terms of Use do not alter the terms and/or conditions of any written agreement(s) you and/or other parties may have or will have with us, (“Other Agreements”), and that using the Website(s) will not violate any Other Agreements and/or violate any rights of other users or third parties, including intellectual property rights and privacy rights. If there is any conflict between these Terms of Use and Other Agreements you have with us, the terms of the more specific and recent Other Agreements will govern.

 

  1. PRIVACY POLICY/PORTAL PRIVACY NOTICE. You agree to the terms and conditions of our Privacy Policy, found at staging.analytics4life.com/privacy. Each of these is incorporated herein and made a part hereof.

 

  1. USER FEEDBACK. Any comments, feedback, notes, messages, ideas, suggestions or other communications (collectively, “Comments”) sent to us, whether through a Website, e-mail, facsimile, postal mail or other means, shall be and remain our exclusive property of. Your submission of any such Comments shall constitute an irrevocable assignment to us of any and all worldwide rights, titles and interests in all copyrights and other intellectual property rights in the Comments. As such, we and any of our affiliates will be entitled to use, reproduce, disclose, publish and distribute any material you submit for any purpose whatsoever, without restriction and without compensating you in any way. For this reason, we ask that you not send us any Comments which you do not intend to assign to us, including any confidential information or any original creative materials such as stories, product ideas, computer code or original artwork.

 

  1. THIRD-PARTY WEBSITES. Our websites contain hyperlinks (“links”) to websites operated by persons or entities other than us (“third-party Websites”). We provide such links for your reference and convenience only. A link from one of our Websites to a third-party Website does not imply or mean that we endorse the content on that third-party Website or its operator or operations. You are solely responsible for your use of any content at any third-party Website to which you might link from one of our Websites. CORVISTA HEALTH, INC. IS NOT RESPONSIBLE OR LIABLE FOR ANY LOSS OR DAMAGES INCURRED AS A RESULT OF ANY DEALINGS WITH ANY THIRD-PARTY WEBSITE.

 

  1. INDEMNITY. YOU AGREE TO DEFEND, INDEMNIFY, AND HOLD HARMLESS CORVISTA HEALTH, INC. AND ITS AFFILIATES, PARENT COMPANY, SUCCESSORS AND ASSIGNS, AND ITS AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, CO-BRANDERS OR OTHER PARTNERS FROM AND AGAINST ANY AND ALL ALLEGATIONS, CLAIMS, DEMANDS, ACTIONS, CAUSES OF ACTION, PROCEEDINGS (WHETHER THREATENED OR PENDING), ORDERS, DAMAGES, LOSSES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE ATTORNEY’S FEES AND OTHER LEGAL EXPENSES, AND JUDGMENTS OF ANY KIND OF NATURE, INCURRED BY US ARISING OUT OF OR RELATING TO YOUR USE OF THE WEBSITES, YOUR VIOLATION OF THIS AGREEMENT, OR YOUR VIOLATION OF ANY RIGHTS OF ANOTHER.

 

  1. LIMITED TIME TO BRING CLAIMS. Where permitted by law, you and we agree that any cause of action arising out of or related to the Website(s) must be commenced within one (1) year after the cause of action accrues. Otherwise, such cause of action is permanently barred.

 

  1. LIMITATION OF LIABILITY. YOU UNDERSTAND THAT, TO THE EXTENT PERMITTED UNDER APPLICABLE LAW, IN NO EVENT WILL CORVISTA HEALTH, INC. OR ANY OF OUR OWNERS, SUBSIDIARIES, AFFILIATED COMPANIES, EMPLOYEES, SHAREHOLDERS, OR DIRECTORS BE CUMULATIVELY LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF REVENUES, PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF SUCH PARTIES WERE ADVISED OF, KNEW OF OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY), ARISING OUT OF OR RELATED TO YOUR USE OF THE SERVICES, REGARDLESS OF WHETHER SUCH DAMAGES ARE BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE AND STRICT LIABILITY), WARRANTY, STATUTE OR OTHERWISE. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE SERVICES, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USE OF THE SERVICES. Some jurisdictions do not allow the exclusion of certain warranties or the limitation or exclusion of liability for incidental or consequential damages, and as a result some of the above disclaimers may not apply to you. To the extent we may not, as a matter of applicable law, disclaim any implied warranty or limit its liabilities, the scope and duration of such warranty and the extent of our liability shall be the minimum permitted under applicable law.

 

  1. MUTUAL RIGHTS OF TERMINATION. You may terminate this Agreement, for any or no reason, at any time, upon notice to us. We may terminate, modify, restrict, or suspend your use of the Websites, your account, and/or your registration (including, for the avoidance of doubt, your use of the Portal and your account and registration with us via the Portal) without notice for any reason at any time. You understand that termination of your Agreement with us and your account will not entitle you to any refund and may involve deletion of your information and any content you uploaded using such Account. YOU AGREE THAT WE WILL NOT BE LIABLE TO YOU OR ANY OTHER PARTY FOR ANY TERMINATION OF YOUR ACCESS TO THE WEBSITES (INCLUDING WITHOUT LIMITATION THE PORTAL, AS APPLICABLE) OR DELETION OF YOUR ACCOUNT OR CONTENT UPLOADED BY YOU. OTHER AGREEMENTS WITH CORVISTA HEALTH, INC. MAY CONTAIN DIFFERENT TERMINATION PROVISIONS FOR A GIVEN SERVICE. IN SUCH CASES, TERMINATION PROVISIONS WITHIN OTHER AGREEMENTS SHALL GOVERN THE TERMINATION OF THOSE SERVICES.

 

  1. APPLICABLE LAW. The validity, interpretation, construction, and performance of these Terms of Use and any claim, cause of action or dispute arising out of, or related to, this Agreement, and dispute resolution, shall be governed by the laws of the state of Delaware without giving effect to the principles of conflict of laws. Except for disputes subject to arbitration as described below, any disputes relating to these Terms of Use or the Website(s) will be heard in the courts located in Raleigh, North Carolina, U.S.A.

 

  1. DISPUTE RESOLUTION. YOU AND CORVISTA HEALTH, INC. AGREE THAT ALL CLAIMS ARISING OUT OF, OR RELATED TO, THIS AGREEMENT MUST BE RESOLVED EXCLUSIVELY BY BINDING ARBITRATION LOCATED IN RALEIGH, NORTH CAROLINA, U.S.A. AS ADMINISTERED BY AS ADMINISTERED BY AAA AND GOVERNED BY THE FEDERAL ARBITRATION ACT, except that only one (1) arbitrator shall be appointed to preside over the dispute and discovery will be limited to the exchange of directly relevant documents and two (2) fact witness depositions, absent a showing of good cause and order thereon by the arbitrator.” YOU AND CORVISTA HEALTH, INC. AGREE TO SUBMIT TO THE PERSONAL JURISDICTION OF THE COURTS LOCATED WITHIN RALEIGH, NORTH CAROLINA FOR THE PURPOSE OF LITIGATING ANY REFUSAL TO ARBITRATE. NOTWITHSTANDING THE ABOVE, YOU AGREE THAT CORVISTA HEALTH, INC. SHALL STILL BE ALLOWED TO APPLY FOR INJUNCTIVE REMEDIES (OR AN EQUIVALENT TYPE OF URGENT LEGAL RELIEF) IN ANY JURISDICTION. IN NO EVENT SHALL YOU SEEK OR BE ENTITLED TO RESCISSION, INJUNCTIVE OR OTHER EQUITABLE RELIEF, OR TO ENJOIN OR RESTRAIN THE OPERATION OF THE SERVICE, EXPLOITATION OF ANY ADVERTISING OR OTHER MATERIALS ISSUED IN CONNECTION THEREWITH, OR EXPLOITATION OF THE SERVICES OR ANY CONTENT OR OTHER MATERIAL USED OR DISPLAYED THROUGH THE SERVICES.

 

  1. NO CLASS OR REPRESENTATIVE ACTIONS. YOU AGREE THAT YOU AND CORVISTA HEALTH, INC. ARE EACH WAIVING ANY RIGHT TO PARTICIPATE AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS ACTION OR REPRESENTATIVE PROCEEDING. Further, unless otherwise agreed, any arbitrator appointed may not consolidate more than one person’s claims, and may not otherwise preside over any form of any class or representative proceeding absent our express agreement and the express agreement of all parties.

 

  1. SEVERABILITY. If any provision of these Terms of Use is found by a court of competent jurisdiction or arbitrator to be invalid, you and we nevertheless agree that the court should give the effect to the other provisions of these Terms of Use, and that they will remain in full force and effect.

 

  1. NOTICES AND COMMUNICATIONS. We may notify you via postings on staging.analytics4life.com. You may contact us at [email protected].

 

 

INTELLECTUAL PROPERTY

CorVista Health, Inc. is the owner and/or authorized user of any trademark, registered trademark and/or service mark, trade dress and design appearing on the Websites (including without limitation CORVISTA HEALTH, CORVISTA and related designs and logos), whether or not appearing in large print or with the trademarked symbol, and is the owner or licensee of the copyright rights in the text, images, photographs, graphics, user interface, music, animations, videos and other content and/or information appearing on the Websites as well as the selection, coordination and arrangement of such content, to full extent provided under United States and international laws. By placing such trademarks and content on the Websites, we do not grant any license or other authorization to copy or use its trademarks, registered trademarks, service marks, copyrightable material, or other intellectual property, except as provided herein. Various products or services described on the Websites may carry registered or other trademarked symbols that are the sole property of their respective owners. You may view, print, and download portions of the content and/or information on the Websites solely for your personal, non-commercial use. We reserve the right to revoke this authorization at any time. Reproduction, copying, or redistribution of materials on the Websites for commercial purposes is strictly prohibited without our express written permission. We retain all right, title and interest in and to the patent, copyright, trademark, trade secret and any other intellectual property rights in the Websites and any derivative works thereof, subject only to the limited licenses set forth in this Agreement.

 

MODIFICATIONS

We may make modifications, improvements, deletions, or amendments to any of the Websites and these Terms of Use at any time we deem appropriate. Any and all relevant portions of these Terms of Use will automatically apply to all such modifications, improvements, deletions, and/or amendments as they appear on the Websites. We also may discontinue any of the Websites at any time and for any reason, without notice. We may discontinue or restrict your use of any of the Websites for any reason, without notice. We have no obligation to provide support, maintenance, upgrades, modifications or new releases of any of the Websites under this Agreement.

 

If you believe that you are entitled or obligated to act contrary to these Terms of Use under any law, you will provide us with detailed explanation of your reasons in writing at least 30 days before you take action that is contrary to these Terms of Use to allow us to assess whether we may, at our sole discretion, provide modifications or an alternative remedy for the situation, though we are under no obligation to do so.

 

Business Associate Agreement

This Business Associate Agreement is entered into between CorVista and Client,  each a “Party”, a “Business Associate” with respect to the other), effective, except as otherwise provided in this Agreement, as of the date of signature of the Client Service Agreement to which this Business Associate Agreement is an addendum.

The parties wish to enter into this Agreement to enable each Party to meet applicable requirements of the regulations issued under administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applicable to such Party, and this Agreement shall be interpreted accordingly. This Agreement also is intended to satisfy certain requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), included in the American Recovery and Reinvestment Act of 2009 (“ARRA”), when and as they become applicable to either Party as a Business Associate and this Agreement shall be interpreted accordingly.

ARTICLE 1

DEFINITIONS

The following terms, for purposes of this Agreement, have the meanings indicated, unless the context clearly requires otherwise:

1.1Business Associate means CorVista and/or Client, as the context may require. 

1.2Breach has the same meaning as the term “breach” under 45 CFR Section 164.402.

1.4Individual has the same meaning as the term “individual” in 45 CFR Section 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).

1.5Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

1.6Protected Health Information or PHI means information that qualifies as protected health information under 45 CFR Section 160.103 with respect to Such Party.

1.7Required by Law has the meaning set forth in 45 CFR Section 164.103.

1.8Secretary means the Secretary of the Department of Health and Human Services or his or her designee.

1.10Security Standards means the federal regulations issued as Health Insurance Reform: Security Standards and codified at 45 CFR parts 160, 162 and 164.

1.11Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, but only to the extent that the incident involves electronic PHI.

1.12Unsecured Protected Health Information has the same meaning as that term has under 45 CFR Section 164.402, but limited to information that is accessed, maintained, retained, modified, recorded, stored, destroyed or otherwise held, used or disclosed by Business Associate on behalf of Such Party.

1.13Terms used, but not otherwise defined, in this Agreement have the same meaning as those terms have in 45 CFR Sections 160.103, 164.103, 164.402 and 164.501 or in Section 13400 of ARRA.

 

ARTICLE 2

OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

2.1Each Party, in its capacity as a Business Associate, agrees that it will not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.

2.2Each Party, in its capacity as a Business Associate, agrees to use appropriate safeguards (including administrative, physical, and technical safeguards) to prevent use or disclosure of the PHI, other than as provided for by this Agreement. Each Party, in its capacity as a Business Associate, agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this Agreement and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this Agreement.

2.3Each Party, in its capacity as Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

2.4Each Party, in its capacity as Business Associate, agrees to report to the other Party any use or disclosure of PHI not provided for by this Agreement of which it becomes aware.

2.5Each Party, in its capacity as Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains or transmits PHI on behalf of Business Associate, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to that information by entering into an agreement with the subcontractor or other agent that satisfies the requirements of 45 CFR Section 164.504(e)(5).  To the extent that a subcontractor or other agent of Business Associate creates, receives, maintains or transmits electronic PHI on behalf of Business Associate, Business Associate will ensure that the subcontractor or agent agrees to comply with the applicable requirements of the Security Standards by entering into an agreement that complies with 45 CFR Section 164.314.

2.6If a Party, in its capacity as Business Associate has PHI in a Designated Record Set, Business Associate agrees to provide access, at the request of the other Party or an Individual, and in the time and manner designated by the other Party, to such PHI, to such Party or, as directed by the other Party, to an Individual, in order to meet the requirements under 45 CFR Section 164.524.

2.7To the extent reasonably necessary for a Party to comply with 45 CFR Section 164.524(c)(2), if a Party in its capacity as Business Associate maintains PHI in an electronic format for any Individual, Business Associate agrees to provide, at the request of an Individual, and in the time and manner designated by the Individual, a copy of such information in the electronic format designated by the Individual to that Individual or, if clearly, conspicuously and specifically directed by the Individual to transmit an electronic copy of that information directly to an entity or person designated by the Individual.  If electronic information described in the preceding sentence is not readily producible in the form and format requested by the Individual, it will be provided in a readable electronic form and format as agreed to by Business Associate and the individual, or, if no agreement is reached in a hard copy format.  Any fee charged by Business Associate to the Individual for providing such information (or a summary or explanation of such information) cannot exceed the amount described in 45 CFR Section 164.524(c)(4).  Except as otherwise expressly provided in this Section 2.7, any information provided pursuant to this Section will comply with the requirements of 45 CFR Section 164.524 as they apply to such Party.   If a request described in this Section 2.7 is made by the Individual to a Party instead of Business Associate, Business Associate agrees to work with the other Party to allow such Party to respond to the request in accordance with Section 164.524.

2.8If each Party, in its capacity as Business Associate has PHI in a Designated Record Set, such Business Associate agrees to make any amendment to such information that the other Party directs or agrees to pursuant to 45 CFR Section 164.526 at the request of such Party or an Individual, and in the time and manner designated by such Party.

2.9Each Party, in its capacity as Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, the other party available to such Party, or at the request of the such Party to the Secretary, in a time and manner designated by such Party or the Secretary, for purposes of the Secretary determining such Party’s compliance with the Privacy Rule.

2.10Each Party, in its capacity as Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Such Party to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528.  In addition, effective beginning on the date the requirements of regulations issued pursuant to Section 13405(c) of ARRA become applicable to Such Party, if Business Associate maintains information in an electronic format, to the extent necessary for Such Party to comply with ARRA Section 13405(c) and applicable regulations, Business Associate agrees to document access to and disclosures of PHI in electronic form, including applicable disclosures for payment, treatment or health care operation purposes and information related to such disclosures as would be required for such Party to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528, as modified in accordance with ARRA Section 13405(c).

Business Associate agrees to provide to Such Party or an Individual, in a reasonable time and manner designated by Such Party, information collected in accordance with this Section 2.10, to permit Such Party to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528.

2.11In conducting any electronic transaction that is subject to the Electronic Transaction Regulations on behalf of Such Party, each Party, in its capacity as Business Associate agrees to comply with all requirements of the Electronic Transaction Regulations that would apply to Such Party if Such Party were conducting the transaction itself.

2.12To the extent that a Business Associate under this Agreement creates, receives, maintains or transmits electronic PHI on behalf of the other Party, Business Associate agrees to maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all electronic PHI and to otherwise comply with applicable requirements of the Security Standards.

2.13To the extent that either Party, in its capacity as a Business Associate creates, receives, maintains or transmits electronic PHI on behalf of Such Party, Business Associate agrees to report to the other Party any Security Incident of which it becomes aware.  For any successful Security Incident, i.e. any Security Incident that results in the unauthorized access, use, disclosure, modification, or destruction of electronic PHI or interference with system operations on an information system on which electronic PHI is maintained, the report will be provided without unreasonable delay and in no event later than ten days after Business Associate becomes aware of the incident. 

For any unsuccessful Security Incidents (i.e., all Security Incidents not described in the previous paragraph), following a written request by Party hereunder, either Party in its capacity as a Business Associate will promptly provide to the other Party a report summarizing all such previously unreported incidents.  Also, no later than the next January 31 following the end of each calendar year, a Business Associate will provide to the other Party a written report summarizing all unsuccessful Security Incidents that have not previously been reported to such other Party.    Unsuccessful Security Incidents include but are not limited to pings on the Business Associate’s firewall, port scans, attempts to log onto a system or enter a database with an invalid password or username, denial-of-service attacks that do not result in the system being taken off-line, or malware such as worms or viruses and similar failed attempts to access systems that include electronic PHI.

For successful Security Incidents, each incident report will: 

1.Identify each individual whose PHI is known to have been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during the incident;

2.Identify the nature of the non-permitted access, use, or disclosure and the date of the incident and the date of discovery;

3.Identify the PHI accessed, used, or disclosed;

4.Identify who made the non-permitted access, use, or received the non-permitted disclosure;

5.Identify any corrective action Business Associate has taken or will take to prevent similar Security Incidents in the future;

6.Identify any actions Business Associate has taken or will take to mitigate any harmful effects of the Security Incident; and

7.Provide such other information, as the other Party may reasonably request.

To the extent that any of the above information is not available to be included in the Security Incident report, the report must include an explanation of why such information is not available to Business Associate.

For unsuccessful Security Incidents, each annual or requested incident report will summarize the types and number of occurrences or frequency of unsuccessful Security Incidents; will indicate whether Business Associate believes its current security measures are adequate to address all unsuccessful Security Incidents, given the scope and nature of such attempts; and if existing security measures are not adequate, the report will describe the measures Business Associate will implement to address the security inadequacies.  Notwithstanding the preceding, to the extent that the parties agree that no report of an unsuccessful Security Incident (or of specific types of unsuccessful Security Incidents) is required under applicable law, no such report will be required under this Agreement.

2.14To the extent that a Party, in its capacity as a Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured Protected Health Information on behalf of the other Party, Business Associate agrees to notify such Party of any Breach of such information.  Such notification will comply with 45 CFR Section 164.410 including, to the extent possible, identifying each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach.  In addition, the notice described in the preceding sentence will include all information that is reasonably available to the Business Associate that other Party would reasonably be expected to need to fulfill its legal obligations with respect to the Breach, including the information required to be provided in a report of a successful Security Incident as described in this Agreement.  If additional information described in the preceding sentence becomes available after the original notice is provided to the other Party, the Party in its capacity as Business Associate agrees to promptly provide the additional information to other Party as it becomes available.

Each Party acting as a Business Associate agrees to provide notice of the Breach without unreasonable delay and in no case later than 60 calendar days after Business Associate discovers the Breach.  For purposes of the preceding sentence, Business Associate will be treated as discovering the Breach on the first day on which the Breach is known (or should reasonably have been known) to Business Associate (including any employee, officer or other agent of Business Associate other than the person committing the Breach).  Whether a Breach has occurred will be determined in accordance with applicable regulations or other authoritative guidance issued pursuant to the HITECH Act.  A delay in notification of a Breach that qualifies as a “law enforcement delay” under 45 CFR Section 164.412 or other applicable guidance will not be treated as a violation of this Agreement.

2.15To the extent that a Business Associate agrees, under the terms of this Agreement or a general services agreement or otherwise, to carry out any obligation that the other Party may have under the Privacy Rule at 45 CFR part 164, subpart E, Business Associate agrees to comply with the requirements of subpart E that would apply to such other Party  in performing that obligation.

ARTICLE 3

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

3.1Except as otherwise limited in this Agreement, a Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the other Party as specified in the [Services Agreement and Supplier Agreement] between each Party, provided that such use or disclosure would not violate the Privacy Rule, the Security Standards or the HITECH Act if done by performing  Party.

3.2Except as otherwise limited in this Agreement, each Party as a Business Associate hereunder may use PHI for the proper management and administration of the Party as a Business Associate or to carry out the legal responsibilities of a Business Associate.

3.3Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.4Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to the other Party as permitted by 45 CFR Section 164.504(e)(2)(i)(B).

3.5A Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR Section 164.502(j)(1).

ARTICLE 4

OBLIGATIONS OF SUCH PARTY

4.1Each Party shall notify the other Party in its capacity as a Business Associate of any limitation in its notice of privacy practices that Party  produces in accordance with 45 CFR Section 164.520, to the extent that that limitation may affect Business Associate's permitted or required uses and disclosures.

4.2Each Party shall notify the other Party in its capacity as a Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if those changes affect Business Associate's permitted or required uses and disclosures.

4.3Each Party shall notify the other Party in its capacity as a Business Associate of any restriction on the use or disclosure of PHI that Party  has agreed to in accordance with 45 CFR Section 164.522.

ARTICLE 5

PERMISSIBLE REQUESTS

5.1Except as permitted under Sections 3.2, 3.3 or 3.4 of this Agreement, each Party  shall not request the other Party in its capacity as a Business Associate use or disclose PHI in any manner that would not be permitted under the Privacy Rule, the Security Standards or the HITECH Act if done by the disclosing Party, unless such use or disclosure is otherwise permitted under the Privacy Rule, the Security Standards or the HITECH Act if done by the Business Associate on behalf of the disclosing Party  and is consistent with the requirements of the general services agreements between the Parties. 

ARTICLE 6

TERM AND TERMINATION

6.1Term.  This Agreement is effective beginning upon the date of signing of the Client Service Agreement and will terminate when all of the PHI provided by a Party to the other Party as a  Business Associate, or created or received by a Party as a  Business Associate on behalf of the other Party, is destroyed or returned to other Party, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this Article 6.

6.2Termination for Cause.  If either Party becomes aware of a material breach of this Agreement by the other Party as a Business Associate, either Party  shall (1) provide an opportunity for to the other Party as a Business Associate to cure the breach or end the violation and terminate this Agreement (and any applicable portion of a general services agreement between the parties) if Business Associate does not cure the breach or end the violation within the time specified by non-breaching Partyer, or (2) immediately terminate this Agreement (and any applicable portion of a general services agreement that covers the services that Business Associate performs for the other Party f the Business Associate has breached a material term of this Agreement and cure is not possible. 

6.3Effect of Termination.

(a)Except as provided in paragraph (b) of this Section, upon termination of this Agreement for any reason, each Party as a Business Associate shall return or destroy all PHI received from the other Party or created or received by a Party as a Business Associate on behalf of the other Party.  This provision applies to PHI that is in the possession of subcontractors or agents of either Party in its capacity as a Business Associate.  Except as provided in paragraph (b) of this Section, either Party acting as a Business Associate shall retain no copies of the such PHI.

(b)If Business Associate determines that returning or destroying PHI is infeasible, either Party acting as a Business Associate shall notify the other Party  of the conditions that make return or destruction infeasible and either Party acting as a Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as such Party acting as a Business Associate maintains such PHI.

ARTICLE 7

MISCELLANEOUS

7.1Regulatory and Statutory References.  A reference in this Agreement to a regulation or a statute means that regulation or statute as in effect and as amended at the time of reference and as interpreted pursuant to any applicable guidance provided by the Secretary or other responsible regulatory authority and any applicable case law.

7.2Amendment.  The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Such Party and Business Associate to comply with the requirements of the Administrative Simplification provisions of HIPAA or the HITECH Act, and of the regulations issued pursuant to those laws.  The Parties may agree to amend this Agreement from time to time in any other respect as they deem appropriate.  This Agreement shall not be amended except by written instrument executed by each Party.

7.3Survival.  The respective rights and obligations of Business Associate under Section 6.3 of this Agreement shall survive the termination of this Agreement.

7.4Interpretation.  Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits a Party to comply with applicable requirements of the HIPAA Administrative Simplification regulations and with the applicable requirements of the HITECH Act.  Also, nothing in this Agreement shall be construed to require Business Associate to violate its obligations to comply with any requirements of the Privacy Rule or the Security Standards that apply directly to Business Associate.

7.5Effective Date.  Notwithstanding any other provision of this Agreement, Business Associate shall not be required to comply with any obligation imposed on it by this Agreement which is intended to provide for a Party’s compliance with a requirement of the Administrative Simplification Regulations or the HITECH Act or regulations or other guidance issued pursuant to the HITECH Act until the date on which a Party is first required to comply with that requirement.

7.6 Relationship of Parties. None of the provisions of this Agreement are intended to create or shall be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other Arrangement between the Parties.

7.7 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person or entity other than Plan Sponsor, each Party in its capacity as a Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.

7.8 Successors and Assigns. This Agreement shall be binding on the parties and their successors, but neither party may assign the Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld.

7.9 Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any occasion.

7.10 Severability. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement shall remain in full force and effect.

7.11 Notice. Any notice to the other party pursuant to this Agreement shall be deemed provided if sent by first class United States mail, postage prepaid, as follows:

7.12 Indemnification.

i. Each Party shall indemnify and hold harmless the other Party in its capacity as a Business Associate from and against any and all losses, expense, damage or injury that such Party acting as a Business Associate may sustain as a result of, or arising out of a breach of this Agreement by the other Party  or its agents or subcontractors, including but not limited to any unauthorized use, disclosure, damage, or destruction of PHI.

ii. Each Party, in its capacity as Business Associate shall indemnify and hold harmless the other Party from and against any and all losses, expense, damage or injury that such Party  may sustain as a result of, or arising out of a breach of this Agreement by the Party acting a Business Associate or its agents or subcontractors, including but not limited to any unauthorized use, disclosure, damage, or destruction of PHI.

 

7.13 Entire Agreement.  This Agreement sets forth the entire understanding of the Parties with respect to its subject matter and supersedes all prior agreements, arrangements and communications, whether oral or written, pertaining to the subject matter of this Agreement.

The parties have caused this Business Associate Agreement to be executed by their authorized representatives upon signing the Client Service Agreement.

 

Effective Date: 19 NOVEMBER 2020

© 2020 CorVista Health, Inc. All rights reserved.

CorVista provides actionable cardiac diagnostics at the point of care by applying advanced machine learning for more rapid and accurate diagnosis of cardiac disease.
Find Us
United States
3 Bethesda Metro Center,
Suite 700
Bethesda, MD 20814
(833) 267-8478
CorVista Health 2024 | All rights reserved
Privacy PolicyTerms of Use