WARNING: Using subQdocs may lead to unprecedented efficiency, improved patient care, and an unexpected sense of joy about documentation.

Sign Up

subQdocs User Agreement

This subQdocs User Agreement (this “Agreement”) effective upon the date You first access or use the Services (“Effective Date”), is by and between subQdocs, a Utah limited liability company and its respective parents, subsidiaries, branches, affiliates, agents, employees, successors and assigns (“Provider”), and the person or entity accessing or using the Services (“You” or “Customer”). Provider and Customer may be referred to herein collectively as the “Parties” or individually as a “Party.”

Provider provides the Services solely on the terms and conditions set forth in this Agreement and on the condition that Customer accepts and complies with them. By selecting that You agree and accessing or using the Services, Customer (a) accepts this Agreement and agrees that Customer is legally bound by its terms; and (b) represents and warrants that: (i) You are 18 years of age or older or of legal age to enter into a binding agreement; and (ii) if Customer is a corporation, governmental organization, or other legal entity, You have the right, power, and authority to enter into this agreement on behalf of Customer and bind Customer to its terms. If You do not agree with any of the terms of this Agreement, You may not access or use the Services.

The Agreement contains a Business Associate Agreement (BAA) in Exhibit B, governing the handling of Protected Health Information.

Section 11 of this Agreement contains a binding arbitration provision, which requires that any disputes that should arise from accessing or using the Services shall be resolved exclusively by an arbitrator. Section 11 of this Agreement also contains a waiver to a jury trial or any class action proceedings. Please read Section 11 as it affects your rights under this Agreement.

Provider uses AI Technology to provide the Services under this Agreement. By selecting that You agree and accessing or using the Services, You understand and agree that You are responsible for obtaining all of the relevant consents to use the Services for your use cases, including the processing of Customer Data by AI technology. You also acknowledge and agree that due to the inherent nature of AI Technology, Provider does not warrant or guarantee (i) the accuracy or appropriateness (including medical accuracy or appropriateness) of any AI Output or other information generated by artificial intelligence engines or systems or (ii) that AI Output or other information will be accurate or appropriate (including medical accuracy or appropriateness) for Customer’s use cases, and Customer fully and irrevocably waives and discharges Provider from any responsibility in this regard. Customer is solely responsible for all use of the AI Output and information and for evaluating the accuracy and appropriateness (including medical accuracy or appropriateness) of the AI Output and information for Customer’s use cases, including by utilizing human review as appropriate.

The Parties agree as follows:

Definitions.

“AI Input” means information, data, materials, text, prompts, images, instructions, audio, or other content that is (i) input, entered, posted, uploaded, submitted, transferred, transmitted, or otherwise provided or made available that may be processed by or through AI Technology, or (ii) collected, downloaded, or otherwise received by AI Technology.

“AI Output” information, data, materials, text, prompts, images, or other content of any type and in any format, medium, or form, whether audio, visual, textual, or other results generated, produced, or resulting from, transmitted, or otherwise provided or made available by or in connection with any processing by or through AI Technology in response to an AI Input. For the avoidance of doubt, AI Output constitutes Customer Data.

“AI Technology” means any software-enabled technology utilizing deep learning, machine learning, automated decision-making, or artificial intelligence, including any and all software, data, databases and systems that make use of or employ neural networks, statistical learning algorithms (like linear or logistic regressions, support vector machines, random forests, k-means clustering), transformers, large language models, or reinforcement learning.

“Anonymized Statistics” means data and information related to or derived from Provider’s monitoring of Customer’s use and Provider’s provision of the Services and is used by Provider in a deidentified manner, including to compile statistical and performance information related to the provision and operation of the Services and to improve, develop, adapt, modify, train, or enhance the Services or other products or services the Services. Anonymized Data does not include Customer Data.

“Authorized User” means Customer’s employees, consultants, contractors, and agents (i) who are authorized by Customer to access and use the Services under the rights granted to Customer pursuant to this Agreement and (ii) for whom access to the Services has been purchased hereunder.

“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and as it may be further amended, along with any associated regulations.

“Customer Data” means, other than Anonymized Statistics, information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by or on behalf of Customer or an Authorized User through the Services. Customer Data includes PHI as the term is defined in Exhibit B.

“Documentation” means Provider’s user manuals, handbooks, and guides relating to the Services provided by Provider to Customer either electronically or in hard copy form/end user documentation relating to the Services available at https://subqdocs.ai/. Documentation excludes Licensed Content.

“Licensed Content” refers to the Current Procedural Terminology (CPT®) codes, descriptors, guidelines, and other content and data licensed from the American Medical Association (“AMA”) and incorporated into the Services.

“Provider IP” means the Services, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Provider IP includes Anonymized Statistics and any information, data, or other content derived from Provider’s monitoring of Customer’s access to or use of the Services, but does not include Customer Data. Provider IP excludes Licensed Content.

“Services” means the software-as-a-service offering described in Exhibit A. The Services include leveraging AI Input with AI Technology to create AI Output.

“Territory” refers to the United States of America.

Access and Use.

Provision of Access. Subject to terms and conditions of this Agreement, Provider hereby grants Customer a non-exclusive, non-transferable (except in compliance with Section 12(g)) right to access and use the Services during the Term, solely for use by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use. Provider shall provide to Customer the necessary links or connections to allow Customer to access the Services. Provider may modify the Services at any time, including adding or removing functionality or imposing conditions on use of the Services. Provider will notify Customer of material adverse changes in, deprecations to, or removal of functionality from, Services that Customer is using. Provider is not obligated to provide any Updates.

Documentation License. Subject to the terms and conditions contained in this Agreement, Provider hereby grants to Customer a non-exclusive, non-sublicensable, non-transferable (except in compliance with Section 12(g)) license to use the Documentation during the Term solely for Customer’s internal business purposes in connection with its use of the Services.

Licensed Content. Customer acknowledges and agrees that the Licensed Content is copyrighted by the American Medical Association (AMA), and “CPT®” is a registered trademark of the AMA. All rights in the Licensed Content not expressly granted to Customer herein are reserved by the AMA.

Subject to the terms and conditions of this Agreement, Provider grants Customer a limited, non-exclusive, non-transferable, and non-sublicensable license to use the Licensed Content solely for Customer’s internal purposes within the Territory, strictly in conjunction with and as an integral part of the Services.

Customer shall not:

  • Make the Licensed Content publicly available, transfer, sell, lease, sublicense, or otherwise make available the Licensed Content, in whole or in part, to any unauthorized third party.
  • Create any derivative works of the Licensed Content, including translations, adaptations, or modifications, or otherwise incorporate the Licensed Content into any other product or service not explicitly authorized by this Agreement. Any unauthorized derivative works of the Licensed Content shall be owned by the AMA.

Customer is responsible for ensuring that all individuals who access or use the Services, including the Licensed Content, under Customer’s account or authorization, comply fully with all the terms and conditions of this Agreement.

Customer understands and agrees that the availability and provision of updated Licensed Content within the Services is contingent upon and dependent on Provider’s continuing contractual relationship with the AMA.

Use Restrictions. Customer shall not use the Services for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (iv) use in a manner that interferes with, damages, or disrupts the proper working of the Services; (v) remove any proprietary notices from the Services or Documentation; (vi) use Documentation, Provider IP, or Licensed Content in any AI Technology, including any large language model (LLM) for pre-training, training, or fine-tuning, or for any other artificial intelligence model development, training, or tuning purposes, except as provided in the Services; or (vii) use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law.

Reservation of Rights. Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.

Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP; (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider; (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities; (D) subject to applicable law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (E) Provider’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any third-party services or products required to enable Customer to access the Services; or (iii) in accordance with Section 5(a)(iii) (any such suspension described in subclause (i), (ii), or (iii), a “Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Services following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.

Anonymized Statistics. Notwithstanding anything to the contrary in this Agreement, Provider may monitor the Services and collect and compile Anonymized Statistics. As between Provider and Customer, all right, title, and interest in Anonymized Statistics, and all intellectual property rights therein, belong to and are retained solely by Provider. Customer acknowledges that Provider may compile Anonymized Statistics based on Customer Data, including AI Input and AI Output, used or generated by the Services. Provider may use Anonymized Statistics to improve, develop, adapt, modify, train, or enhance the Services or other products or services; provided that such Anonymized Statistics do not identify Customer or Customer’s Confidential Information and do not contain PHI as defined in Exhibit B.

Subcontractors. Provider may from time to time in its discretion engage third parties to perform the Services, or a portion thereof (each, a “Subcontractor”).

Customer Responsibilities.

General. Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to comply with such provisions.

Disclosures and Consents. Customer represents, warrants, and covenants that Customer owns or otherwise has and will have all necessary rights, permissions, and consents in and relating to the Customer Data so that, as received by Provider and processed in accordance with this Agreement, it does not and will not infringe, misappropriate, or otherwise violate any intellectual property rights, or any privacy or other rights of any third party or violate any applicable law.

Compliance with the Law. For the avoidance of doubt, Customer is solely responsible for ensuring that it uses Services in compliance with all laws applicable to Customer’s business, business operations, products and services, including without limitation, any laws applicable to privacy and security, and for evaluating and determining whether its use of the Services and any underlying Systems or technology are permissible and appropriate under such laws.

Privacy and Data Security.

Privacy. Provider shall collect, process, and disclose Customer Data only as necessary for the purposes specified in this Agreement and shall comply with all applicable privacy laws and Covered Entity instructions.

Upon Customer’s request, Provider shall delete or enable Customer to delete all Customer Data, except where it would be technically infeasible to delete the data or retention is required by applicable law.

To the extent US state privacy laws apply, as between the Parties, Customer is a Data Controller or Data Processor and Provider is a Data Processor, as the terms are defined in applicable privacy laws.

To the extent that the CCPA applies, Provider shall not use Customer Data outside of the direct business relationship with Customer; “sell” or “share” Customer Data, as those terms are defined under the CCPA; retain, use or disclose Customer Data outside of the direct business relationship between Customer and Provider; or except as permitted by law, combine Customer Data with other information it receives from, or on behalf of, another person or persons, or collects from its own interaction with an individual.

Provider may use Subcontractors per Section 2(g).

Provider will process Customer Data classified as PHI, as the term is defined in Exhibit B, in compliance with Exhibit B.

Data Security. Provider agrees that its collection, use, storage, and disposal of Customer’s Confidential Information shall at all times comply with appliable law. Provider shall implement and maintain security procedures and practices for Confidential Information that ensure a level of security appropriate to the risk and comply with Applicable Law and industry standards for security and confidentiality, protect against any anticipated or actual threats or hazards to its security or integrity, and prevent unauthorized access, acquisition, destruction, use, modification and/or disclosure, including without limitation, establishing, implementing and maintaining an information security program. Provider shall ensure that its security infrastructures are consistent with industry standards for virus protection, firewalls, and intrusion prevention technologies to help prevent its network, systems, servers, and applications from unauthorized access.

Fees and Payment.

Fees. Customer shall pay Provider the fees (“Fees”) as set forth in Exhibit A without offset or deduction. Customer shall make all payments hereunder in US dollars on or before the due date set forth in Exhibit A. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Provider for all reasonable costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for thirty (30) days or more, Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full. Provider may, from time to time, offer a Service or Service feature without charge, or waive Fees for that Service or Service feature. If Provider increases Fees, or introduces new Fees, for a Service that Customer is currently using, then Provider will notify Customer at least thirty (30) days (or longer period if law requires) before the revised or new Fees apply to Customer.

Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.

Auditing Rights and Required Records. Provider may, at its own expense, on reasonable prior notice, periodically inspect and audit Customer’s records with respect to matters covered by this Agreement, provided that if such inspection and audit reveals that Customer has underpaid Provider with respect to any amounts due and payable during the Term, Customer shall promptly pay the amounts necessary to rectify such underpayment, together with interest in accordance with Section 5(a).

Audit of Licensed Content.

Release of Customer Name to AMA. Customer expressly consents to the release of its name, and the name of the entity it represents (if applicable), to the AMA by Provider. This release is solely for the purpose of Provider’s compliance with its licensing obligations, reporting requirements, and the terms of its agreement with the AMA, and for the AMA’s verification and audit purposes with respect to Licensed Content.

Records of Use of Licensed Content. Customer agrees to maintain records of its use of the Licensed Content within the Services as reasonably necessary for Provider to comply with its royalty calculation and reporting obligations to the AMA. Customer expressly consents to the release of such usage information, including but not limited to the number of users or other relevant metrics, to the AMA. Customer further agrees to provide, without undue delay, any additional information that the AMA (as a third-party beneficiary under this Agreement) may reasonably request to verify compliance with its licensing terms. Notwithstanding the foregoing, nothing in this Agreement shall require Customer to submit or release information that would cause Customer to be in violation of applicable federal or state privacy laws, including HIPAA.

Confidential Information. From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether orally or in written, electronic, or other form or media/in written or electronic form or media, whether or not marked, designated, or otherwise identified as “confidential” (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

Intellectual Property Ownership; Feedback.

Provider IP. Customer acknowledges that, as between Customer and Provider, Provider owns all right, title, and interest, including all intellectual property rights, in and to the Provider IP. Provider hereby grants Customer a non-exclusive, royalty-free, license to reproduce, distribute, and otherwise use and display the Provider IP solely to the extent incorporated into and necessary for Customer to use and otherwise exploit the AI Output solely for Customer’s internal business operations by Authorized Users in accordance with the Agreement and terms and conditions herein.

Customer Data. Provider acknowledges that, as between Provider and Customer, Customer owns all right, title, and interest, including all intellectual property rights, in and to the Customer Data. Customer hereby grants to Provider a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Provider to provide the Services to Customer, and a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to reproduce, distribute, modify, and otherwise use and display Customer Data incorporated within the Anonymized Statistics.

Feedback. If Customer or any of its employees or contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (“Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Customer hereby assigns to Provider on Customer’s behalf, and on behalf of its employees, contractors, and/or agents, all right, title, and interest in, and Provider is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Provider is not required to use any Feedback.

Limited Warranty and Warranty Disclaimer.

EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8(a), THE PROVIDER IP AND AI OUTPUT ARE PROVIDED “AS IS” AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8(a), PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PROVIDER IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, INCLUDING ANY AI OUTPUTS, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM, OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE, OR THAT ANY ERRORS OR DEFECTS CAN OR WILL BE CORRECTED. YOU ACKNOWLEDGE THAT, GIVEN THE NATURE OF THE SERVICES AND AI TECHNOLOGY, AI OUTPUT (I) MAY BE INACCURATE, MISLEADING, BIASED, INCOMPLETE, OUTDATED, OR OFFENSIVE, (II) MAY BE THE SAME AS OR SIMILAR TO OUTPUT THE SERVICES GENERATE FOR OTHER CUSTOMERS, (III) MAY NOT QUALIFY FOR INTELLECTUAL PROPERTY PROTECTION, AND (IV) MAY BE SUBJECT TO THIRD PARTY TERMS, INCLUDING, AS APPLICABLE, OPEN SOURCE LICENSES, AND (V) DO NOT NECESSARILY REFLECT, AND MAY BE INCONSISTENT WITH, PROVIDER’S AND THIRD-PARTY PROVIDERS’ VIEWS.

Customer acknowledges and agrees that, due to the inherent nature of AI Technology, Provider does not warrant or guarantee (i) the accuracy or appropriateness of any AI Output or other information generated by artificial intelligence engines or systems or (ii) that AI Output or other information will be accurate or appropriate for Customer’s use cases, and Customer fully and irrevocably waives and discharges Provider from any responsibility in this regard. Customer is solely responsible for all use of the AI Output and information and for evaluating the accuracy and appropriateness of the AI Output and information for Customer’s use cases, including by utilizing human review as appropriate. Customer acknowledges that due to the nature of the Services and use of artificial intelligence generally, AI Output and other information may not be unique and other users may receive similar content from the Services.

Customer acknowledges and agrees that to the extent permitted by applicable law, the use of the Licensed Content (CPT® codes) within the Services is at Customer’s sole risk. The Licensed Content is provided ‘as is’ without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

Customer further acknowledges and agrees that:

  • The AMA does not directly or indirectly practice medicine or dispense medical services.
  • Fee schedules, relative value units, conversion factors, and/or related components are not assigned by the AMA, are not part of CPT®, and the AMA is not recommending their use.
  • The Licensed Content does not replace the AMA’s official Current Procedural Terminology book or other appropriate coding authority.
  • The coding information contained in the Licensed Content, as presented within the Services, should be used only as a guide and does not constitute professional medical advice or an endorsement by the AMA of any particular coding or billing practice.

Indemnification.

Provider Indemnification.

Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (“Losses”) incurred by Customer resulting from any third-party claim, suit, action, or proceeding (“Third-Party Claim”) that the Services or any use of the Services in accordance with this Agreement (in each case, excluding any AI Output or AI Input used by Provider to train or tune AI Technology incorporated or included in the Services), infringes or misappropriates such third party’s US intellectual property rights provided that Customer promptly notifies Provider in writing of such Third-Party Claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such Third-Party Claim.

If a Third Party-Claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer.

This Section 9(a) will not apply to the extent that the alleged infringement arises from: (A) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; (B) modifications to the Services or AI Output not made by Provider; (C) use, misuse, or disclosure of Customer Data not entirely performed by Provider; (D) Customer’s disablement or circumvention of any applicable source citation, filtering, security, or safety tools or functions of the AI Technology.

Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any Losses resulting from any Third-Party Claim that the Customer Data, or any use of the Customer Data in accordance with this Agreement, infringes or misappropriates such third party’s US intellectual property rights and any Third-Party Claims based on Customer’s or any Authorized User’s (i) negligence or willful misconduct; (ii) use of the Services in a manner not authorized by this Agreement; (iii) use of the Services in combination with data, software, hardware, equipment, or technology not provided by Provider or authorized by Provider in writing; or (iv) modifications to the Services not made by Provider, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

Customer shall also indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any and all Losses arising from or relating to any Third-Party Claim (a) that the AI Input or processing or any other use thereof in accordance with this Agreement, infringes or misappropriates such third party’s intellectual property rights; (b) based on Customer’s or any Authorized User’s negligence or willful misconduct or use of the AI Technology; or (c) based on Customer’s or any Authorized User’s use or reliance on any AI Output; provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

Sole Remedy. EXCEPT CONCERNING SECTION 6 OF EXHIBIT B, THIS 9 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY. IN NO EVENT WILL PROVIDER’S LIABILITY UNDER THIS SECTION 9 EXCEED THE AMOUNT OF FEES PAID BY CUSTOMER TO PROVIDER PURSUANT TO THE AGREEMENT DURING THE 12-MONTH PERIOD PRECEDING THE OCCURRENCE OF THE ACTION OR INACTION GIVING RISE TO SUCH CLAIM FOR LIABILITY.

Limitations of Liability. EXCEPT WITH RESPECT TO SECTION 6 OF EXHIBIT B, IN NO EVENT WILL PROVIDER BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c) LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY, OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER PROVIDER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. IN NO EVENT WILL PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE AMOUNT OF FEES PAID BY CUSTOMER TO PROVIDER PURSUANT TO THE AGREEMENT DURING THE 12-MONTH PERIOD PRECEDING THE OCCURRENCE OF THE ACTION OR INACTION GIVING RISE TO SUCH CLAIM FOR LIABILITY.

Term and Termination.

Term. This Agreement continues until Customer or Provider terminates it (this period, the “Term”). Customer may terminate this Agreement at any time by closing Customer account and/or deleting the services. If after termination Customer uses the Services again, this Agreement will apply with an Effective Date that is the date on which Customer first uses the Services again. Provider may terminate this Agreement (or any part) or close Customer’s account at any time for any reason or no reason by notifying Customer. A Party may terminate this Agreement immediately upon notice to the other party if the other Party materially breaches this Agreement, including Exhibit B, and if capable of cure, does not cure the breach within thirty (30) days after receiving written notice specifying the breach.

Effect of Expiration or Termination. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obligations under 6, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination or entitle Customer to any refund.

Survival. This Section 11(d) and 1, 5, 6, 7, 8(b), 9, 10, and 12 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

Termination of AMA Agreement with Provider.

In the event that the Agreement between Provider and the AMA terminates or expires for any reason, Provider shall notify Customer of such termination or expiration.

Upon such termination or expiration of the Agreement between Provider and the AMA, Customer shall have a limited right to continue using the Licensed Content exclusively within the Services for the remainder of the then-current annual release year of the Licensed Content (e.g., through the end of the applicable calendar year) (the “End User Tail Period”). Customer’s continued use of the Licensed Content during the End User Tail Period is strictly subject to Customer’s ongoing compliance with all terms and conditions of this Agreement.

Upon the expiration of the End User Tail Period, Customer must immediately discontinue all use of the Licensed Content within the Services and shall not access, display, or otherwise utilize any CPT codes or related data obtained through the Services.

Binding Arbitration.

All disputes, claims and controversies, whether based on past, present or future events, arising out of or relating to statutory or common law claims, the breach, termination, enforcement, interpretation or validity of any provision of this Agreement, and the determination of the scope or applicability of Customer’s agreement to arbitrate any dispute, claim, or controversy originating from this Agreement, but specifically excluding any dispute principally related to either Party’s intellectual rights (which will be resolved in litigation before the United States District Court for the District of Utah), will be determined by binding arbitration by telephone, based on written submissions, video conference, or in person in Richfield, Utah or at another mutually agreed location before a single arbitrator with subject matter expertise in matters and areas of law related to this Agreement, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations. The arbitrator shall be familiar with the requirements of HIPAA, including the Privacy Rule, Security Rule, and Breach Notification Rule, and shall be obligated to protect the confidentiality of PHI (as defined under Exhibit B) to the extent required by applicable law.

The American Arbitration Association will administer the arbitration under its Commercial Arbitration Rules. The Expedited Procedures of the American Arbitration Association’s Commercial Arbitration Rules will apply for cases in which no disclosed claim or counterclaim exceeds $250,000 USD (excluding interest, attorneys’ fees and arbitration fees and costs). Where no party’s claim exceeds $100,000 USD (excluding interest, attorneys’ fees and arbitration fees and costs), and in other cases where the Parties agree, Section E-6 of the Expedited Procedures of the American Arbitration Association’s Commercial Arbitration Rules will apply.

The arbitrator will apply the substantive law of the State of Utah, in accordance with Section 12(f), and of the United States, including HIPAA and other applicable federal and state laws relating to the privacy and security of health information, excluding their conflict or choice of law rules.

Nothing in this Agreement will preclude the Parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction.

Notwithstanding the provisions in this Section 11 referencing applicable substantive law, the Federal Arbitration Act (9 U.S.C. Sections 1-16) will govern any arbitration conducted in accordance with this Agreement.

Arbitration Procedure.

A Party must notify the other Party of its intent to commence arbitration prior to commencing arbitration. The notice must specify the date on which the arbitration demand is intended to be filed, which must be at least 30 days after the date of the notice. During this time period, the Parties will meet for the purpose of resolving the dispute prior to commencing arbitration.

Subject to Section 11.f(i) of this Agreement, each Party may commence arbitration by providing to the American Arbitration Association and the other Party to the dispute a written demand for arbitration, stating the subject of the dispute and the relief requested.

Subject to the disclaimers and limitations of liability stated in this Agreement, the appointed arbitrators may award monetary damages and any other remedies allowed by the laws of the State of Utah. In making a determination, the arbitrator will not have the authority to modify any term of this Agreement. The arbitrator will deliver a reasoned, written decision with respect to the dispute to each Party, who will promptly act in accordance with the arbitrator’s decision. The arbitrator’s decision shall address the parties’ compliance with HIPAA. Any award (including interim or final remedies) may be confirmed in or enforced by a state or federal court located in Salt Lake City, Utah. The decision of the arbitrator will be final and binding on the Parties, and will not be subject to appeal or review.

In accordance with the AAA Rules, the Party initiating the arbitration is responsible for paying the applicable filing fee. Each Party will advance one-half of the fees and expenses of the arbitrator, the costs of the attendance of the arbitration reporter at the arbitration hearing, and the costs of the arbitration facility. In any arbitration arising out of or relating to this Agreement, the arbitrator will award to the prevailing party, if any, the costs and reasonable attorneys’ fees reasonably incurred by the prevailing party in connection with those aspects of its claims or defenses on which it prevails, and any opposing awards of costs and legal fees awards will be offset.

Confidentiality.

The Parties will keep confidential the existence of the arbitration, the arbitration proceeding, the hearing and the arbitrator’s decision, and, jointly with the arbitrator, take all necessary steps to ensure that all PHI (as defined in Exhibit B) is safeguarded, disclosed, and used in accordance with the requirements of HIPAA.

Notwithstanding the foregoing, disclosure of the existence of the arbitration, the arbitration proceeding, the hearing, and the arbitrator’s decision shall be permitted: (a) as necessary to prepare for and conduct the arbitration hearing on the merits; (b) in connection with a court application for a preliminary remedy, or confirmation of an arbitrator’s decision or its enforcement; (c) as permitted under HIPAA; (d) each Party may disclose as necessary to professional advisors that are subject to a strict duty of confidentiality; and (e) as law otherwise requires.

The Parties, witnesses, and arbitrator will treat as confidential and will not disclose to any third person (other than witnesses or experts) any documentary or other evidence produced in any arbitration, except as law requires or if the evidence was obtained from the public domain or was otherwise obtained independently from the arbitration.

Upon conclusion of the arbitration, all copies of PHI in the possession of the Parties and the arbitrator shall be returned to the disclosing party or, if return is not feasible, destroyed in a manner that complies with HIPAA. The arbitrator shall certify such destruction in writing.

Conflict of Rules. In the case of a conflict between the provisions of this Section 11 and the AAA Rules, the provisions of this Section 11 will prevail.

Class Waiver. To the extent Law permits, any dispute arising out of or relating to this Agreement, whether in arbitration or in court, will be conducted only on an individual basis and not in a class, consolidated or representative action. Notwithstanding any other provision of this Agreement or the AAA Rules, disputes regarding the interpretation, applicability, or enforceability of this class waiver may be resolved only by a court and not by an arbitrator. If this waiver of class or consolidated actions is deemed invalid or unenforceable, neither party is entitled to arbitration.

No Jury Trial. If for any reason a claim or dispute proceeds in court rather than through arbitration, each party knowingly and irrevocably waives any right to trial by jury in any action, proceeding or counterclaim arising out of or relating to this Agreement or any of the transactions contemplated between the parties.

Miscellaneous.

AMA is a Limited Third-Party Beneficiary. The Customer acknowledges and agrees that the AMA is an express, limited third-party beneficiary of this Agreement solely with respect to the provisions concerning the Licensed Content (CPT® codes), including its usage, restrictions, intellectual property rights, disclaimers, and the obligations specifically flowing down from Provider’s Agreement with the AMA. The AMA shall have the right to enforce such specific provisions directly against the Customer. Except as expressly provided in this clause, the AMA is not an intended third-party beneficiary of any other term or provision of this Agreement, and this Agreement is not intended to confer upon the AMA any rights or remedies hereunder with respect to any other matter.

Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs (unless otherwise specified): (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.

Notices. Unless this Agreement states otherwise, for notices to Provider, Customer must contact Provider at support@subqdocs.com. A notice Customer sends to Provider is deemed to be received when Provider receives it. Provider may send Customer notices by email, physical mail, or delivery service to the postal address listed in the applicable Customer account. A notice Provider sends to Customer is deemed received by Customer on the earliest of (i) when sent by email; and (iii) three business days after being sent by physical mail or when delivered, if sent by delivery service.

Force Majeure. In no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to make payments), if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, epidemics, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.

Amendment and Modification; Waiver. Provider reserves the right to modify this Agreement, and Customer’s continued use of the Services represents Customer’s agreement to those modifications. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof, and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to effect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

Governing Law; Submission to Jurisdiction. This Agreement is governed by and construed in accordance with the internal laws of the State of Utah without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Utah. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Utah in each case located in the city of Salt Lake City and county of Salt Lake County, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

Assignment. Customer may not assign any of its rights or delegate any of its obligations hereunder, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the prior written consent of Provider, which consent shall not be unreasonably withheld, conditioned, or delayed. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.

Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under 6 or, in the case of Customer, Section 2(c), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.

Exhibit a

Capitalized terms used but not defined in this Exhibit A have the meaning given to those terms in the Agreement.

A. DESCRIPTION OF SERVICES: The Services record and transcribe patient interactions and collect and compile patient data, including visit interactions, check-in forms, intake questions, billing forms, and clinical notes and other data used by Provider, as AI Input. Such AI Input is leveraged by AI Technology to generate AI Output and perform actions on the Authorized User’s behalf in the form of preparing patient medical record information such as the patient’s chief complaint, patient history, history of present illness, medical examination information, medical codes, treatment plan, prescriptions, billing, and notes from the visit. Please note, pursuant to this Agreement, all AI Output must be reviewed and approved by a duly licensed medical professional before it may be relied on for medical purposes. The Services store the information for current and future medical use and generate information that can be shared with the patient. Data, such as documentation and photos may be uploaded to the Services.

B. FEES: The Fees for the Services are based on the number of licensed dermatologists and any other individuals authorized by applicable law and the Customer to sign patient medical records. The Fee charged to the Customer for each such individual shall be Five Hundred U.S. Dollars ($500.00) per month.

Exhibit B – Business Associate Agreement

PREAMBLE AND DEFINITIONS. 

Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), Customer (“Covered Entity”) and subQdocs, or any of its corporate affiliates (“Business Associate”), a Utah limited liability company, enter into this Business Associate Agreement (“BAA”) as upon the date Customer first accesses or uses the Services (the “Effective Date”) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Agreement (the “Underlying Agreement”).

Consistent with the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.

Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.

A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.

GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE. 

Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by the BAA.

Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.

Business Associate agrees to the following breach notification requirements:

  • Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within five (5) calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
  • In the event of Business Associate’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.

Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.

Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).

Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in 1.5).

To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

Business Associate agrees to account for the following disclosures:

Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.

Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in 5) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested from the Covered Entity.

In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.

Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.

Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in 5), and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.

Business Associate may use or disclose PHI as Required By Law.

Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures.

Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity. Notwithstanding the foregoing, Business Associate may use or disclose PHI as follows:

Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Business Associate may de-identify any and all PHI obtained by Business Associate and use such de-identified data on Business Associate’s own behalf as set forth herein, all in accordance with the de-identification requirements of the Privacy Rule. The Parties acknowledge and agree that de-identified data does not constitute PHI; provided, however, such de-identified information may only be used and disclosed by Business Associate in connection with the services provided to Covered Entity under the Underlying Services Agreement or a SOW and/or for Business Associate’s internal purposes, such as to improve, develop, adapt, modify, train, or enhance the Services or other products or services, but such de-identified data shall not otherwise be sold or commercialized by Business Associate.

Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

Business Associate may use PHI to the extent and for any purpose authorized by an Individual under 45 C.F.R. § 164.508.

OBLIGATIONS OF COVERED ENTITY.

Covered Entity shall:

  • Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.
  • Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.
  • Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under 3 of this BAA.

COMPLIANCE WITH SECURITY RULE.

Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

In accordance with the Security Rule, Business Associate agrees to:

Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA: (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity; and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;

  • Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
  • Report to the Covered Entity any Security Incident of which it becomes aware.

INDEMNIFICATION.

Business Associate shall indemnify, defend, and hold harmless the Covered Entity and Covered Entity’s affiliates (“Indemnified Parties”), from and against any and all losses, expense, damage, or injury (including, without limitation, all costs and reasonable attorney’s fees) that the Indemnified Parties may sustain as a result of, or arising out of: (a) a breach of this BAA by Business Associate or its agents or Subcontractors, including but not limited to any unauthorized use, disclosure, or breach of PHI; (b) Business Associate’s failure to notify any and all parties required to receive notification of any Breach of Unsecured PHI pursuant to 2.4; or (c) any negligence or wrongful acts or omissions by Business Associate or its agents or Subcontractors, including without limitations, failure to perform Business Associate’s obligations under this BAA, the Privacy Rule, or the Security Rule.

Notwithstanding the foregoing, nothing in this Section shall limit any rights that any of the Indemnified Parties may have to additional remedies under the Underlying Agreement or under applicable law for any acts or omissions of Business Associate or its agents or Subcontractors.

TERM AND TERMINATION.

This BAA shall be in effect as of Effective Date, and shall terminate per Section 12 of the Underlying Agreement or, if:

  • All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with 7.3.

Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

  • Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.
  • Return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form.
  • Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.
  • Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at paragraphs (2) and (3) above which applied prior to termination.
  • Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.

MISCELLANEOUS.

The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.

The respective rights and obligations of Business Associate under 6 and 7 of this BAA shall survive the termination of this BAA.

This BAA shall be interpreted in the following manner:

  • Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
  • Any inconsistency between the BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.
  • Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.

This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written related to the subject matter of this BAA. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.

This BAA may be executed in two or more counterparts, each of which shall be deemed an original.

Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Underlying Agreement.