GLOOKO SUBSCRIPTION AGREEMENT TERMS AND CONDITIONS
The Glooko Subscription Agreement consists of these Terms and Conditions and one or more Service Orders (collectively, this “Agreement”). These Terms and Conditions shall apply to each Service Order executed by Glooko and Client.
“Application Services” means hosting and operating a Glooko Application to provide Client with access to and use of such Glooko Application.
“Authorized Users” means persons authorized by Client (including its employees, Patients and Providers) to access and use the Services who possess an authorized user ID and password and for whom Client has paid the applicable user fees.
“Consulting Services” shall mean any training, consulting, data migration, conversion, integration, implementation and/or other services provided by Glooko to Client, as described in the Service Order.
“Content” means all Client Confidential Information, software applications, text, pictures, sound, graphics, video and other data transmitted by Client in using the Services. Content does not include Device Data or Patient Data.
“Device Data” means any data from or about device manufacturers (e.g., Medtronic, Johnson & Johnson One Touch, Abbott, etc.) or device models.
“Glooko Application” means all software and databases used by Glooko to provide the Application Services to Client.
“Glooko Hardware” means all hardware provided by Glooko to enable data upload by the Client or Patient including, without limitation, the Glooko MeterSync Blue, Glooko cables, hubs and Transmitter.
“Patient” means a person seeking health care and who, prior to using the Application Services, has been determined by Client to have a patient-physician relationship with a Physician in accordance with the applicable requirements of State law and of the applicable State licensure boards.
“Patient Data” means personally identifiable information and Device Data that Glooko receives from the Patient.
“Physician” means a licensed physician that participates in Client’s medical practice.
“Provider” means a provider of medical or health services, including, but not limited to a Physician, diabetes educator, a physician assistant, nurse, physical therapist or psychotherapist.
“Service Order” means the written description of the Services to be provided by Glooko to Client that is executed by Client and Glooko and expressly refers to this Agreement.
“Services” means the Application Services, Consulting Services and any other services identified in this Agreement.
2.1. Services. Glooko shall use commercially reasonable efforts to provide the Services in accordance with the terms and conditions of this Agreement. In the event of any conflict between the body of this Agreement and a Service Order, the terms and conditions set forth in the body of this Agreement shall govern. The Services shall include the provision of technical support to Authorized Users via email or other online systems during Glooko’s regular business hours, in accordance with Glooko’s then-current technical support policies. Authorized Users shall complete training prior to their use of the Application Services. Upon Client’s request, Glooko may provide additional technical support at Glooko’s then-current hourly rates, subject to the execution of a mutually agreed upon Service Order. Patients can subscribe to Glooko directly and in conjunction with that subscription, the Patient has control of their Patient Data and what third parties they give access to their Patient Data.
2.2. Security. Glooko has implemented commercially reasonable security measures to prevent unauthorized access to Patient Data, computer hardware and other equipment and/or software possessed and used by Glooko to provide the Application Services. In addition to securing Patient Data, Glooko will use the same commercially reasonable security measures to prevent unauthorized access to Protected Health Information, as defined in the business associate agreement. Client shall be solely responsible for the security of the Client operating environment.
2.3. Glooko Application Changes. Glooko may from time to time develop enhancements, updates, improvements, modifications, extensions and other changes to the Application Services (“Glooko Application Changes”). Client hereby authorizes Glooko to implement such Glooko Application Changes for use with the Application Services, provided that such Glooko Application Changes do not have a material adverse effect on the functionality or performance of the Application Services.
2.4. Cooperation; Access. Client acknowledges that the successful and timely rendering of the Services shall require the good faith cooperation of Client. Glooko shall not be liable for any failure to perform the Services that arises from Client’s failure to cooperate with Glooko.
2.5. Special Terms. The Application Services provided to Client shall be subject to any specific limitations set forth in the Service Order, including limitations on bandwidth and data storage.
3.USE OF THE APPLICATION SERVICES.
3.1. Glooko License. Glooko hereby grants to Client a non-transferable, non-exclusive, license during the term of this Agreement, to allow Authorized Users to access and use, over public and private networks, the Application Services for its medical practice and not for use by any third party. The number of Authorized Users and Providers accessing the Application Services shall not exceed the number purchased by Client, as indicated in the Service Order. Client shall notify Glooko in writing in the event it wishes to increase the number of Providers or Authorized Users. Upon receipt of such notice, Glooko shall increase the number of Providers or Authorized Users at Glooko’s then-current rates. Client may, upon 90 days’ written notice, reduce the number of Providers or Authorized Users by up to ten percent (10%) during each Term of this Agreement.
3.2. Sponsorship. If use of the Glooko Application Services, Glooko Application and Glooko Hardware is sponsored by a third party and such sponsorship is cancelled, the Authorized User may contact Glooko directly to license Services, subject to separate fees.
3.3.1. Glooko owns all right, title and interest in and to the Application Services, Glooko Application and the technology embodied in the Glooko Hardware. The Application Services, Glooko Application and Glooko Hardware are provided to Client for use only as expressly set forth in this Agreement, and Client will not use the foregoing in whole or in part for any other use or purpose. Client will not, and will not allow any third party to (i) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques or algorithms of the Glooko Application or the Glooko Hardware by any means, or disclose any of the foregoing; (ii) except as expressly set forth in this Agreement, provide, rent, lease, lend, or use the Glooko Application for timesharing, subscription, or similar purposes; or (iii) sublicense, resell, transfer or assign the Services or Glooko Hardware or any of the rights or licenses granted under this Agreement.
3.3.2. Client shall not use the Application Services for storage, possession, or transmission of any information, the possession, creation or transmission of which violates any state, local or federal law, including without limitation, those laws regarding stolen materials, obscene materials or child pornography.
3.3.3. Client shall not transmit Content over the Application Services or the Glooko Hardware that infringes upon or misappropriates the intellectual property or privacy rights of any third party.
3.3.4.Client understands the Application Services streamline the normal operations of a medical practice and that the Application Services are not designed for medical emergencies. Client agrees to inform its Patients that the Service is not designed for emergency use.
3.3.5. Glooko and Client agree that only appropriately licensed Providers and Authorized Users shall assess, diagnose, and recommend treatment for Patients. Client acknowledges and agrees that Glooko is not engaged in the practice of medicine through the provision of the services contemplated herein. Client shall take all actions required to ensure that its use of the Application Services is in compliance with all applicable laws, rules, regulations and professional standards. Client shall be solely responsible for verifying the identity and authenticity of Authorized Users. Neither party shall interfere with, control, or otherwise influence the physician-patient relationship established between a Physician and a Patient. Client shall take all reasonable precautions to ensure that the Application Services are utilized by its Authorized Users in a manner consistent with applicable ethical and legal requirements. Glooko SHALL HAVE NO OBLIGATION, RESPONSIBILITY OR LIABILITY FOR ANY PHYSICIAN’S PROVISION OF PROFESSIONAL SERVICES.
3.3.6. Nothing in this Agreement shall be construed as an offer for payment by one party to the other party or any affiliate of the other party of any cash or other remuneration, whether directly or indirectly, overtly or covertly, for Patient referrals or for recommending or for arranging, purchasing, leasing or ordering any item or service.
3.3.7. Client shall be prohibited from: (i) sharing or publishing reports or analysis that includes Patient Data or Device Data (or any data contained therein); (ii) commercializing any product offerings utilizing the Device Data or Patient Data (or any data contained therein); or (iii) sublicensing or sharing the Device Data or Patient Data Extract (or any data contained therein) with any other individual or entity whatsoever.
3.4. Client Content. Client hereby grants to Glooko a worldwide, non-exclusive, fully paid-up license to use, copy, modify, enhance, display, publish, distribute, create derivative works of and otherwise use the Content in any manner reasonably necessary to perform the Services. An example of Content would include a Client’s logo that is presented in the Application Services. Client represents and warrants that it has all rights necessary to grant Glooko the foregoing license. Client further represents and warrants that Client owns or all right, title and interest in and to the Content or has a license granting it the rights necessary to permit it to grant the foregoing license. If Client licenses any Content, it shall not provide such Content to Glooko until it provides Glooko with a copy of the license.
4.1. Fees. Client agrees to pay Glooko for the performance of the Services in accordance with the rates and fees specified in the Service Order. The number of Patients whose data is updated to Glooko at least once every 6 months shall be used for calculating fees in conjunction with the terms specified in the Service Order. Unless otherwise specified on a Service Order, on each one-year anniversary of a Service Order, Glooko may increase the rates and fees set forth in such Service Order by up to the annual percentage change reflected in the 12-month non seasonally adjusted CPI-U, U.S. City Average published by the U.S. Bureau of Labor Statistics and found on the website: http://www.bls.gov/cpi/. Glooko shall give Client notice of such increase prior to its effective date. Unless otherwise set forth in the Service Order, all payments shall be made in United States dollars no later than thirty (30) days after the date of invoice. All payments not received when due shall accrue interest at a rate per month of one and one-half percent (1.5%) and entitle Glooko, in its sole discretion, to terminate this Agreement with immediate effect by providing Client with written notice.
4.2. Taxes. The fees payable under this Agreement shall not include local, state or federal sales, use, value-added, excise or personal property or other similar taxes or duties now in force or enacted in the future imposed on the transaction and/or the delivery of the Services, all of which Client shall be responsible for and pay in full except those taxes based on the net income of Glooko.
4.3. Shipping. The delivery of the Glooko Hardware and any other items included in the subscription is not included in the annual subscription fee and is not covered by Glooko. All delivery costs will be noted on your Service Order or invoice for payment. Glooko Hardware is purchased by the Client, not leased, and the risk of loss passes to Client upon shipment by Glooko.
5.TERM AND TERMINATION.
5.1. Term. Unless earlier terminated in accordance with its terms, each Services Agreement Order Form will have the initial term set forth in the Service Order (the “Initial Term”). Unless otherwise set forth in a Service Order, upon the expiration of each Initial Term, the term of a Service Order will renew automatically for additional terms of one (1) year each (“Renewal Term”, and together with the Initial Term, the “Term”), unless either a party notifies the other party, at least ninety (90) days prior to the end of the then-current Term that it has elected to terminate such Service Order, in which event such Service Order will terminate at the end of such Term. Unless earlier terminated in accordance with its terms, this Agreement will expire on the date the last Service Order then in effect expires or is terminated pursuant to the terms and conditions set forth in this Agreement.
5.2. Termination for Cause. Except as otherwise provided herein, either party may terminate this Agreement upon the material breach of the other party, if such breach remains uncured for thirty (30) days following written notice to the breaching party.
5.3. Effect of Termination. Upon the expiration or termination of this Agreement, (i) Glooko will terminate Client’s access to the Application Services and will cease the provision of all Services; and (ii) Client will destroy or return the Glooko Hardware for recycling, as directed by Glooko.
6.1. Glooko warrants that during the term of this Agreement, the Application Service will perform, in all material respects, in accordance with its then-current published functional specifications. In the event of any failure of the Application Services to perform in a material respect to such specifications, Glooko will, as Client’s sole and exclusive remedy for such failure, repair the applicable Application Service.
6.2. Glooko Hardware Warranty. Glooko warrants to the Client for twelve (12) months from the date of purchase of Glooko Hardware that it shall be free from defects in material and workmanship. Glooko’s sole and exclusive liability (and Authorized User’s sole and exclusive remedy) under the foregoing warranty shall be to repair or replace the Glooko Hardware or provide Client a refund for Glooko Hardware only, as determined by Glooko in its sole discretion. All shipping costs incurred in connection with returns or replacements under this section shall be borne by Glooko. The foregoing limited warranty is conditioned on Client (i) promptly notifying Glooko of the defect, (ii) complying with any Glooko instructions regarding Glooko’s repair or replacement of the Glooko Hardware (if applicable), and (iii) furnishing Glooko with all original packaging and documentation for the Glooko Hardware upon returning it for repair or replacement (if applicable).
6.3 DISCLAIMER OF WARRANTIES. EXCEPT AS SET FORTH IN THIS SECTION 6, GLOOKO MAKES NO WARRANTIES REGARDING THE SERVICES OR THE GLOOKO HARDWARE, AND GLOOKO HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, WITH RESPECT TO THE SERVICES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, COMPATIBILITY OR SECURITY. GLOOKO DOES NOT WARRANT THAT ACCESS TO OR USE OF THE APPLICATION SERVICES AND GLOOKO HARDWARE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT ALL DEFECTS AND ERRORS IN THE APPLICATION SERVICE AND GLOOKO HARDWARE WILL BE CORRECTED, OR THAT THE SERVICES OR GLOOKO HARDWARE WILL MEET ANY PARTICULAR CRITERIA OF PERFORMANCE OR QUALITY. GLOOKO DOES NOT PROVIDE ANY WARRANTIES REGARDING THE ACCURACY OF DATA OR INFORMATION PROVIDED BY THIRD PARTIES. The provisions of this Section allocate the risks under this Agreement between Glooko and Client. Glooko’s pricing reflects this allocation of risk and the limitation of liability specified herein.
7.1. Infringement. Glooko shall defend, indemnify and hold harmless Client, its subsidiaries, affiliates, officers, directors, agents, employees and assigns, from and against any and all claims, suits, proceedings, losses, damages, liabilities, costs and expenses (including, without limitation, reasonable attorneys’ fees) (collectively, “Losses”) suffered or incurred by them in connection with a third party claim arising out of any actual or threatened claim that the Application Services infringes upon or misappropriates any copyright, patent, trademark, trade secret, or other proprietary or other rights of any third party. Glooko shall have no obligation to indemnify Client to the extent the alleged infringement arises out of (i) the use of the Application Services in combination by Client with other data products, processes or materials not provided by Glooko and such infringement would not have occurred but for Client’s combination; or (ii) the Content. Should the Application Services as used by Client become, or in Glooko’s opinion be likely to become, the subject of an infringement claim, Glooko shall at its option and sole expense either: (i) procure for Client the right to continue to use the Application Services as contemplated hereunder, or (ii) modify the Application Services to eliminate any such claim that might result from its use hereunder or (iii) replace the Application Services with an equally suitable, compatible and functionally equivalent non-infringing Application Services at no additional charge to Client. If none of these options is reasonably available to Glooko, then this Agreement may be terminated at the option of either party hereto without further obligation or liability on the part of either party hereto except that Glooko agrees to promptly refund to Client the pro-rata portion of any fees prepaid by Client amortized on a straight-line basis based over the term of this Agreement.
7.2. Client Indemnity. Client shall defend, indemnify and hold harmless Glooko, its subsidiaries, affiliates, officers, directors, agents, employees and assigns, from and against any and all Losses suffered or incurred by them in connection with a third party claim arising out of (i) a breach by Client of this Agreement, (ii) Client’s use of the Services or (iii) Client’s failure to comply with laws, rules, regulations or professional standards.
7.3. Mechanics of Indemnity. The indemnifying party’s obligations are conditioned upon the indemnified party: (i) giving the indemnifying party prompt written notice of any claim, action, suit or proceeding for which the indemnified party is seeking indemnity; (ii) granting control of the defense and settlement to the indemnifying party; and (iii) reasonably cooperating with the indemnifying party at the indemnifying party’s expense.
8. CONFIDENTIAL INFORMATION.
8.1. Except as expressly permitted in this Section 8, neither party will, without the prior written consent of the other party, disclose any Confidential Information of the other party to any third party. Information will be considered Confidential Information of a party if either (i) it is disclosed by the party to the other party in tangible form and is conspicuously marked “Confidential”, “Proprietary” or the like; or (ii) (a) it is disclosed by a party to the other party in non-tangible form and is identified as confidential at the time of disclosure; and (b) it contains the disclosing party’s customer lists, customer information, technical information, pricing information, pricing methodologies, or information regarding the disclosing party’s business planning or business operations. In addition, notwithstanding anything in this Agreement to the contrary, the terms of this Agreement will be deemed Confidential Information of Glooko. Glooko may, in any manner, publicly announce the relationship with Client. Glooko may also develop, with customer review and approval, a business use case that may be used for Glooko marketing purposes.
8.2. Other than the terms and conditions of this Agreement, information will not be deemed Confidential Information hereunder if such information: (i) is known to the receiving party prior to receipt from the disclosing party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (ii) becomes known (independently of disclosure by the disclosing party) to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; or (iv) is independently developed by the receiving party without the use of the disclosing party’s Confidential Information.
8.3. Each party will secure and protect the Confidential Information of the other party (including, without limitation, the terms of this Agreement) in a manner consistent with the steps taken to protect its own trade secrets and confidential information, but not less than a reasonable degree of care. Each party may disclose the other party’s Confidential Information where (i) the disclosure is required by applicable law or regulation or by an order of a court or other governmental body having jurisdiction after giving reasonable notice to the other party with adequate time for such other party to seek a protective order; (ii) if in the opinion of counsel for such party, disclosure is advisable under any applicable securities laws regarding public disclosure of business information; or (iii) the disclosure is reasonably necessary and is to that party’s, or its affiliates’, employees, officers, directors, attorneys, accountants and other advisors, or the disclosure is otherwise necessary for a party to exercise its rights and perform its obligations under this Agreement, so long as in all cases the disclosure is no broader than necessary and the person or entity who receives the disclosure agrees prior to receiving the disclosure to keep the information confidential. Each party is responsible for ensuring that any Confidential Information of the other party that the first party discloses pursuant to this Section 8 (other than disclosures pursuant to clauses (i) and (ii) above that cannot be kept confidential by the first party) is kept confidential by the person receiving the disclosure.
9.LIMITATIONS OF LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT, GLOOKO AND ITS SHAREHOLDERS, AFFILIATES, DIRECTORS, MANAGERS, EMPLOYEES OR OTHER REPRESENTATIVES SHALL NOT BE LIABLE TO CLIENT, AUTHORIZED USERS OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES (INCLUDING REASONABLE ATTORNEYS’ FEES AND LOST PROFITS) THAT RESULT FROM OR ARE RELATED TO THIS AGREEMENT, EVEN IF GLOOKO HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY EVENT, GLOOKO’S AGGREGATE LIABILITY TO CLIENT FOR DAMAGES, COSTS, AND EXPENSES SHALL NOT EXCEED THE AMOUNTS RECEIVED BY GLOOKO FROM CLIENT IN THE TWELVE MONTHS PRECEDING THE EVENT GIVING RISE TO SUCH DAMAGES.
10.1. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to the choice of law provisions thereof. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement. Any contract dispute or claim arising out of, or in connection with, this Agreement shall be finally settled by binding arbitration in Santa Clara, California, in accordance with (the “Uniform Arbitration Act”) and the then current rules and procedures of the American Arbitration Association by one (1) arbitrator appointed by the American Arbitration Association. The arbitrator shall apply the law of the State of California, without reference to rules of conflict of law or statutory rules of arbitration, to the merits of any dispute or claim. Judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. The parties agree that, any provision of applicable law notwithstanding, they will not request, and the arbitrator shall have no authority to award punitive or exemplary damages against any party. In the event that any arbitration, action or proceeding is brought in connection with this Agreement, the prevailing party shall be entitled to recover its costs and reasonable attorneys’ fees. Notwithstanding the foregoing, nothing herein shall preclude either party from seeking injunctive relief in any state or federal court of competent jurisdiction without first complying with the arbitration provisions of this Section.
10.2. Severability. If any provision of this Agreement is held to be invalid or unenforceable for any reason, it shall be deemed omitted and the remaining provisions will continue in full force without being impaired or invalidated in any way. The parties agree to replace any invalid provision with a valid provision that most closely approximates the intent and economic effect of the invalid provision.
10.3. Waiver. The waiver by either party of a breach of any provision of this Agreement will not operate or be interpreted as a waiver of any other or subsequent breach.
10.4. Assignment. This Agreement shall be binding upon the parties’ respective successors and permitted assigns. Client shall not assign this Agreement, and/or any of its rights and obligations hereunder, without the prior written consent of Glooko, which consent shall not be unreasonably withheld. This Agreement, and the rights and obligations herein, may be assigned by Glooko to any person or entity without the written consent of the Client.
10.5. Independent Contractors. The parties to this Agreement are independent contractors and not partners, employee-employer or joint venturers.
10.6. Strategic Relationships. Glooko may enter into strategic relationships with third parties that may benefit Client by increasing patient utilization. In such an event, Glooko shall be permitted to place appropriate links, icons or displays within the Glooko Application that is accessed as part of the Application Services. Although Glooko may include links providing direct access to third-party Internet sites as a convenience, the inclusion of a link does not imply endorsement of the linked site by Glooko. Glooko does not take responsibility for the content or information contained on those other sites, and does not exert any editorial or other control over those other sites. Glooko does not take responsibility for the privacy policies and practices of these third-party links
10.7. Notices. All notices required to be given under the terms of this Agreement or which any of the parties hereto may desire to give hereunder, shall be in writing, shall be delivered via one of the following methods, and shall be deemed to have been received: (i) on the day given delivered by hand (securing a receipt evidencing such delivery); or (ii) on the second day after such notice is sent by a nationally recognized overnight or two (2) day air courier service, full delivery cost paid; or (iii) on the fifth day after such notice was mailed, registered mail, prepaid, return receipt requested, and addressed to the party to be notified at the addresses set forth in the Service Order.
10.8. Survival. All provisions of this Agreement relating to proprietary rights, payment of fees accrued, confidentiality and non-disclosure, indemnification and limitation of liability shall survive the completion of the Services or any termination of this Agreement.
10.9. Legal Fees. In the event of any proceeding or lawsuit brought by Glooko or Client in connection with this Agreement, the prevailing party shall be entitled to recover its costs and legal fees (including, but not limited to, allocated costs of in-house staff counsel) and court costs.
10.10. Force Majeure. Neither party will be liable to the other for failure to meet its obligations under this Agreement where such failure is caused by events beyond its reasonable control such as fire, failure of communications networks, riots, civil disturbances, embargos, storms, acts of terrorism, pestilence, war, floods, tsunamis, earthquakes or other acts of God.
10.11. Subsequent Modifications. No amendment, alteration or modification of this Agreement shall be effective or binding unless it is set forth in a writing signed by duly authorized representatives of both parties.
10.12. Entire Agreement. This Agreement and any exhibits and schedules attached hereto, constitutes the entire agreement between the parties in connection with the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, of the parties, and there are no warranties, representations and/or agreements among the parties in conjunction with the subject matter hereof except as set forth in this Agreement.
BUSINESS ASSOCIATE AGREEMENT
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and
WHEREAS, the American Recovery and Reinvestment Act (“ARRA“) of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, the Parties wish to enter into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy; and
WHEREAS, Business Associate may have access to Protected Health Information (“PHI”), as defined below, in fulfilling its responsibilities under such arrangement; and If a Service Order entered into under a Subscription Agreement between Glooko and the client thereto provides that the parties will enter into Glooko’s standard Business Associate Agreement, then Glooko (“Business Associate”), and such client (the “Covered Entity”) (each a “Party” and collectively the “Parties”) hereby agree to the terms and conditions of this Business Associate Agreement (this “Business Associate Agreement”).
Article 1 Definitions
Terms used but not otherwise defined in this Business Associate Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Information Portability and Accountability Act of 1996, codified as 42 U.S.C. §1320d (“HIPAA”), the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. § 17901 (the “HITECH” Act), and any current and future regulations promulgated under HIPAA or HITECH.
1.1 “Breach” shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E (the “HIPAA Privacy Regulations”) which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:
(a) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Regulations; or
(b) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Regulations; or
(c) A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
1.2 “Designated Record Set” means a group of records maintained by or for a Covered Entity that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Covered Entity to make decisions about Individuals.
1.3 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Regulations.
1.4 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
1.5 “HIPAA Privacy Regulations” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
1.6 “HIPAA Security Regulations” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and subparts A and C of part 164.
1.7 “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the HITECH Act and any regulations promulgated thereafter.
1.8 “Individually Identifiable Information” means information that is a subset of health information, including demographic information collected from an individual, and: (a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
(b) relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.9 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. §160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Covered Entity including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined above. PHI does not include any data received by the business associate directly from a patient where the patient agrees to the BA’s t&c’s prior to sharing their data. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Business Associate Agreement.
1.10 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
1.11 “Unsecured Protected Health Information” shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in section 13402(h) of the HITECH Act.
Article 2 Obligations of Business Associate
2.1 Limited Use or Disclosure of PHI. Business Associate agrees to not use or further disclose PHI other than as permitted or required by the Agreement or as required by law. Business Associate may (1) use and disclose PHI to perform the services agreed to by the Parties; (2) use or disclose PHI for the proper management and administration of Business Associate or in accordance with its legal responsibilities; (3) use PHI to provide data aggregation services relating to health care operations of Covered Entity; (4) use or disclose PHI to report violations of the law to law enforcement; or (5) use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. §164.514. Business Associate will not sell PHI or use or disclose PHI for marketing or fund raising purposes as set forth in the HITECH Act.
2.2 Subcontractors. Business Associate agrees to require any subcontractor to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, to agree to the same restrictions and conditions that apply throughout this Business Associate Agreement to Business Associate with respect to such information. Subcontractors shall receive appropriate training, and agree to implement reasonable and appropriate safeguards to protect any of such information which is PHI or Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this Business Associate Agreement.
2.3 Safeguards. Business Associate agrees to use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
2.4 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Association in violation of this Business Associate Agreement.
2.5 Compliance. Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.
2.6 Notice of Use or Disclosure, Security Incident or Breach. (a) Business Associate agrees to notify the designed Privacy Officer of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. §164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of breach. Business Associate shall provide the following information in such notice to Covered Entity:
(i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;
(ii) a description of the nature of the Breach including the types of unsecured PHI that were involved, the date of the Breach and the date of discovery;
(iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);
(iv) the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;
(v) a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and
(vi) any other details necessary for Covered Entity to assess risk of harm to Individual(s), including identification of each Individual whose unsecured PHI has been Breached and steps such Individuals should take to protect themselves.
(b) Covered Entity will be responsible for providing notification to Individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HITECH Act. In the event that a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity’s breach analysis procedures, including risk assessment and determination of the extent of access of such unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then current rates.
(c) Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
(d) The Parties agree that this section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.
2.7 Access. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably requested by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual. Business Associate may charge Covered Entity or Individual for the actual labor cost involved in providing such access. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.
2.8 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees, upon request of Covered Entity or an Individual.
2.9 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity or the Secretary in a time and manner designated by the Covered Entity or Secretary, for the purposes of the Secretary in determining the Parties compliance with HIPAA, the HITECH Act, the American Recovery and Reinvestment Act, and corresponding regulations.
2.10 Accounting and Audit. Business Associate agrees to provide to Covered Entity an accounting of PHI disclosures made by Business Associate, including disclosures made for treatment, payment and health care operations. The accounting shall be made within a reasonable amount of time upon receipt of a request from Covered Entity. The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Security and Privacy Rule.
2.11 Security of Electronic Protected Health Information. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity; (2) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (3) report to the Covered Entity any security incidents of which it becomes aware.
2.12 Minimum Necessary. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. §164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
2.13 Permitted Uses and Disclosures. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate HIPAA, ARRA, or the HITECH Act if done by the Covered Entity. Notwithstanding the prohibitions set forth in this Business Associate Agreement, Business Associate may use and disclose Protected Health Information:
(a) if necessary, for the proper management and administration of Business Associate services or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, (i) the disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or
(b) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship, or as mutually agreed in writing by both Parties. For purposes of this Business Associate Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(c) Business Associate may de-identify any and all Protected Health Information created or received by Business Associate under this Agreement; provided, however, that such de-identification conforms to the requirements under HIPAA. Such resulting de-identification information shall not be subject to the terms of this Agreement.
Article 3 Obligations of Covered Entity
3.1 Notice of Privacy Practices of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
3.2 Restrictions in Use of PHI. Covered Entity shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
3.3 Changes in the Use of PHI. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate’s use or disclosure of PHI.
3.4 Appropriate Requests. Except as otherwise provided in this Business Associate Agreement, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would violate the HIPAA Privacy Regulations, ARRA, or the HITECH Act if done by Covered Entity.
3.5 Consents. Obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Covered Entity.
Article 4 Term and Termination
4.1 Term. The Term of this Business Associate Agreement shall be effective as of the date listed above and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.
4.2 Termination for Cause. Upon either Party’s determination that the other Party has committed a violation or material breach of this Business Associate Agreement, the non-breaching Party may take one of the following steps:
(a) Provide an opportunity for the breaching Party to cure the breach or end the violation, and if the breaching Party does not cure the breach or end the violation within a reasonable time, terminate this Agreement;
(b) Immediately terminate this Business Associate Agreement if the other Party has committed a material breach of this Agreement and cure of the material breach is not possible; or
(c) If neither cure nor termination is feasible, elect to continue this Business Associate Agreement and report the violation or material breach to the Secretary in accordance with the requirements set forth in the HITECH Act.
4.3 Disposition of PHI Upon Termination or Upon Request. (a) Upon termination of this Business Associate Agreement, for any reason, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate shall return or destroy all Protected Health Information created or received by Business Associated on behalf of Covered Entity which Business Associated still maintains in any form and retain no copies of such information. This provision shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate.
(b) It may not be feasible for Business Associate to return or destroy all copies of customer data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this Business Associate Agreement to the information and limit further uses and disclosures solely to those purposes as originally intended under this Business Associate Agreement that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
Article 5 Miscellaneous
5.1 No Third Parties; Survival. Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Business Associate Agreement do not intend to create any rights in any third parties. The respective rights and obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Business Associate Agreement, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.
5.2 Amendment. The Parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, ARRA, or the HITECH Act and any applicable regulations in regard to such laws.
5.3 Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA, ARRA, or the HITECH Act or any applicable regulations in regard to such laws.
5.4 Prior Agreement. This Business Associate Agreement shall replace and supersede any prior Business Associate Agreement between the Parties.
5.5 Ambiguity. Any ambiguity of this Business Associate Agreement shall be resolved to permit the Parties to comply with the HITECH Act, HIPAA, ARRA, and the Privacy and Security Rules and other implementing regulations and guidance.
5.6 Minimum Requirements. The provisions of this Business Associate Agreement are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information.
5.7 Notices. Except as otherwise specified herein, all notices, demands or communications required under this Business Associate Agreement shall be in writing and delivered personally, or sent either by U.S. certified mail, postage prepaid return receipt requested, or by overnight delivery air courier (e.g., Federal Express) to the parties at their respective addresses set forth above in this Agreement and, for Glooko, with a copy to: Glooko Inc., Attention: CEO, Law Department, 303 Bryant Street, Mountain View, CA 94041. All such notices, requests, demands, or communications shall be deemed effective immediately upon receipt.
5.8 Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law. This Business Associate Agreement is the entire agreement between the parties in connection with the subject matter herein and this Business Associate Agreement may be amended or modified only in a writing signed by the Parties. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Business Associate Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Business Associate Agreement. Any assignment of this Business Associate Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Business Associate Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Business Associate Agreement and any other agreements between the Parties evidencing their business relationship. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Business Associate Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Business Associate Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Business Associate Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Business Associate Agreement, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.
If you have any questions regarding the Service, please contact Glooko at 650-720-5310 or you may fill out this form.
303 Bryan St.Mountain View
Effective Date: April 3, 2017