January 17, 2019
We hope you’ll find SmileSIM® to be a valuable tool for you and your practice. This document contains important information that you need to know about our service.
This Terms of Service Agreement (the “Agreement”) governs your (“Dentist”) use of the SmileSIM service provided by SmileSIM LLC, a Delaware limited liability company (“SmileSIM”), and available through the SmileSIM website. Dentist agrees to be bound by this Agreement in connection with accessing and using the SmileSIM Services.
Defined terms, as used in this Agreement, have the meanings set forth in this Section, or elsewhere in the body of this Agreement.
- “Data” means information, content and other data that may be exchanged electronically between Dentist and SmileSIM.
- “Documentation” means the user manuals and/or technical publications as applicable, supplied in connection with Software relating to the installation, use and administration of Software.
- “Patient” means an individual seeking services from a Dentist who uses the SmileSIM website in such Patient’s treatment.
- “Services” means the SmileSIM services provided through the SmileSIM website.
- “Software” means the proprietary software and platform employed by SmileSIM to deliver Services and its associated technology (if applicable) to Dentist at or through the SmileSIM website.
B. LICENSE GRANT AND SmileSIM® RESPONSIBILITIES
- License. SmileSIM hereby grants Dentist a non-exclusive, non-transferable, worldwide right to use Software, solely for Dentist’s own internal business purposes, subject to the terms and conditions of this Agreement and provided that all fees due and payable under this Agreement have been paid by Dentist to SmileSIM. All rights not expressly granted to Dentist are reserved by SmileSIM. Unless specifically authorized by SmileSIM, Dentist may not access Software for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purpose. Dentist shall not: (i) license, sublicense, sell, resell, transfer, assign, distribute, or otherwise commercially exploit or make available to any third-party Software in any way; (ii) modify or make derivative works based upon Software; (iii) create Internet “links” to Software or “frame” or “mirror” any content on any other server or wireless or Internet-based device; or (iv) reverse engineer or access Software in order to (a) build a competitive product or service, (b) build a product using similar ideas, features, functions, or graphics of Software, or (c) copy any ideas, features, functions, or graphics of Software. Dentist may use Software only for its internal business purposes and shall not: (1) send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (2) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or that violates a third-party’s privacy rights; (3) send or store material containing software viruses, worms, Trojan horses, or other harmful computer code, files, scripts, agents, or programs; (4) interfere with or disrupt the integrity or performance of Software or the data contained therein; or (5) attempt to gain unauthorized access to Software or its related systems or networks.
- Delivery of Services. During the term of this Agreement, SmileSIM shall deliver the Services in accordance with the terms of this Agreement.
- Change Orders. SmileSIM shall have no obligation to perform Services outside the scope of this Agreement or any applicable Statement of Work. Either party may submit change requests concerning the Services to the other party in writing. On receiving each change request, the receiving party will evaluate the request and provide a written response. If the response is acceptable the parties shall execute a written change order to reflect the change request.
- Delays and Errors. SmileSIM will use commercially reasonable efforts to process and deliver Data to Dentist. However, Dentist acknowledges that delays and errors in processing Data may result from various causes that are beyond SmileSIM’s control, including internet delays, congestion and service interruptions. SmileSIM is not responsible for any delays or errors in processing or delivering Data that are not directly caused by SmileSIM. Dentist shall promptly notify SmileSIM of any delays and errors of which Dentist becomes aware.
C. DENTIST RESPONSIBILITIES
- Compliance with Laws. Dentist is responsible for all activity occurring under any applicable user accounts and Dentist shall abide by all applicable local, state, federal and foreign laws, treaties and regulations in connection with Dentist’s use of the Services and Software, including those related to data privacy, international communications and the transmission of technical or personal data. Further, whereas SmileSIM believes that this Agreement complies with all applicable laws, including the fee-splitting statutes enacted by several States, it does not warrant it to be so and Dentist is responsible for making his or her own independent inquiry as to whether his or her participation in this Agreement complies with all applicable laws.
- License. Dentist grants SmileSIM (i) a non-exclusive, non-transferable (except as permitted herein), license to use, reproduce, modify and transmit Data provided by Dentist for the purpose of performing Services, and (ii) a non-exclusive, non-transferable (except as permitted herein), license to use, reproduce, display, modify, create derivative works of, disclose and distribute any usage data derived by SmileSIM from the provision of Services to Dentist (“Usage Data”) for the purpose of performing the Services, including improving Software and the Services, provided that the Usage Data is disclosed in an aggregate form.
- Delays and Errors. Dentist shall promptly notify SmileSIM of any errors or defects in Software of which Dentist becomes aware.
- Patient Information. Dentist acknowledges that each Dentist is subject to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the privacy and security regulations promulgated under HIPAA (“HIPAA Regulations”), the Health Information Technology for Economic and Clinical Health Act and its implementing regulations and guidance issued by the Secretary of the Department of Health and Human Services (the “Secretary”) (the “HITECH Act”), and other applicable state and federal laws, including, but not limited to, the Virginia Information Privacy Act, Va. Code Section 59.1-442, et seq. (the “Virginia Privacy Law””). The Parties further acknowledge that Dentist is a “covered entity” for HIPAA and HITECH compliance purposes, and that SmileSIM is not a covered entity. However, SmileSIM may be and become a Business Associate of Dentist to the extent that Dentist uses to the Software to communicate protected health information disclosed to Dentist by a Patient. To that extent, the Business Associate Addendum attached hereto as Exhibit A shall apply and, together with applicable federal and state privacy and security laws, shall govern the use and disclosure of any such protected health information by the Parties.
D. TERM AND TERMINATION
- Term. Unless terminated earlier as provided herein, the initial term of this Agreement shall commence on the Effective Date and shall continue for a period of one (1) year. Thereafter, this Agreement shall automatically renew for successive renewal terms of one (1) year each unless: (i) either Party provides written notice of its intention not to renew at least thirty (30) calendar days prior to the expiration of the then-current term; or (ii) the Agreement is terminated in accordance with this Section D.
- Termination Without Cause. Dentist shall have the right to terminate this Agreement for convenience and without cause upon fifteen (15) days written notice to SmileSIM.
- Termination Upon Legal Prohibition of Relationship. If either Party, based upon the opinion of nationally recognized health care counsel, determines that the Agreement does not comply with any Federal or State legislation or regulation (collectively referred to herein as a “Law”) in effect or to become effective as of a date certain, or if either Party receives notice (“Notice”) of any actual decision, finding or action by any State or Federal governmental agency (collectively referred to herein as an “Action”), which Law or Action, if or when implemented, would have the effect of subjecting either party to civil liability or criminal prosecution under state and/or federal laws, the Party making such determination or receiving such notice shall provide such opinion or Notice to the other party and upon doing so may terminate this Agreement, effective upon the date of such notice of termination.
- Effect of Termination. Promptly upon termination or expiration of this Agreement for any reason, Dentist shall return all SmileSIM Confidential Information to SmileSIM. Termination of this Agreement shall be in addition to and not in limitation of any other rights and remedies to which either Party is or may become entitled.
- SmileSIM IP. All right, title and interest in and to Software and all portions thereof, including all intellectual property rights therein, are and shall remain with SmileSIM and its suppliers. Dentist understands and agrees that all intellectual property rights, and all rights incident thereto, are and shall remain in SmileSIM including all applicable rights to: (i) copyrights, including all rights incident to copyright ownership, such as all rights of publication, registration and rights to create derivative works; (ii) patents; (iii) trademarks; and (iv) trade secrets (including all know-how, ideas, logic, formulas and confidential information embodied in or reflected in Software).
- Dentist IP. All right, title and interest in and to Data provided by Dentist, and all related information provided to and accessed by SmileSIM, including all intellectual property rights therein, are and shall remain with Dentist.
- Proprietary Notices. Dentist shall not permit its employees, officers, agents, subcontractors, or independent contractors to remove any proprietary or other legal or restrictive notice contained on or included in Software.
F. PROTECTION OF PROPRIETARY RIGHTS
- Value in SmileSIM IP. Dentist acknowledges and agrees that Software is a commercially valuable asset of SmileSIM, the development of which required the investment of substantial time, effort and cost by SmileSIM. Dentist further acknowledges and agrees that Software contains trade secrets of SmileSIM and that it is SmileSIM’s Confidential Information and is proprietary to SmileSIM. Accordingly, Dentist hereby agrees to use the highest degree of care to maintain the confidentiality of Software. Dentist shall take all actions necessary to comply with the obligations in this Section, including (and without limiting the generality of the foregoing) limiting the use of and access to Software only to those employees, officers, agents, subcontractors and independent contractors who require such use and access in the ordinary course of their respective employment or representation. Dentist shall immediately notify SmileSIM of any unauthorized use, copying, or disclosure of Software of which it becomes aware and further agrees to immediately take such actions as are necessary to end and prevent any such further use, copying and disclosure. SmileSIM, in its sole and exclusive discretion, may immediately terminate this Agreement in the event Dentist, or any of Dentist’s employees, officer, agents, subcontractors, or independent contractors, violate any provision of this Section. Each Party acknowledges and agrees that any breach of any provision of this Section by Dentist, or its employees, officers, agents, subcontractors, or independent contractors, shall cause immediate and irreparable injury to SmileSIM, and in the event of such breach, SmileSIM shall be entitled to seek and obtain injunctive relief, without bond or other security, and to all other remedies available at law and in equity.
- Definition. “Confidential Information” means any information, whether oral, written, electronic, or in any other format, and whether technical or business in nature, regarding this Agreement, SmileSIM’s or Dentist’s products or business, including Software, information regarding composition, formulation, specifications, packaging, manufacturing processes, equipment, pricing, marketing and business plans, other information not generally known to the public and any other information received under circumstances reasonably interpreted as imposing an obligation of confidentiality; provided that, “Confidential Information” shall not include any of such information which: (i) was publicly available at the time of disclosure by the disclosing Party; (ii) became publicly available after disclosure through no fault of the receiving Party; (iii) was known to the receiving Party prior to disclosure by the disclosing Party; or (iv) was rightfully acquired by the receiving Party after disclosure by the disclosing Party from a third-party who was lawfully in possession of the information and was under no legal duty to the disclosing Party to maintain the confidentiality of the information.
Protection of Confidential information. Each Party shall:
(a) maintain the confidentiality of the Confidential Information of the other Party;
(b) take steps to minimize the dissemination or copying of the Confidential Information of the other Party except to the extent necessary to perform its obligations under this Agreement;
(c) use the same care to prevent disclosure of the Confidential Information of the other Party to third-parties as it employs to avoid disclosure, publication, or dissemination of its own information of a similar nature, but in no event less than a reasonable standard of care;
(d) use the Confidential Information of the other Party solely for the purpose of performing its obligations under this Agreement;
(e) not acquire any express or implied right or license under any patent, copyright, trade secret, or other right or assert any lien against Confidential Information of the other Party;
(f) promptly return, or provide a copy of, as the requesting Party directs, Confidential Information upon the request of the other Party (provided that SmileSIM may retain such Confidential Information as it requires in order to perform the Services for so long as it is required to perform such Services); and
(g) use its best efforts to inform its employees, officers, agents, subcontractors and independent contractors who perform duties with respect to this Agreement about these restrictions.
- Permitted Disclosures. Each Party may disclose Confidential Information of the other Party to its employees, officers, agents, subcontractors and independent contractors who have: (1) a need to know such Confidential Information in order to perform their duties; and (2) a legal duty to protect the Confidential Information. A Party receiving Confidential Information of the other Party assumes full responsibility for the acts and omissions of its employees, officers, agents, subcontractors and independent contractors with respect to such Confidential Information.
- Required Disclosures. Either Party may disclose Confidential Information to the extent disclosure is based on the good faith written opinion of such Party’s legal counsel that disclosure is required by law or by order of a court or governmental agency; provided that, the Party that is the recipient of such Confidential Information shall use all commercially reasonable efforts to maintain the confidentiality of the Confidential Information by means of a protective order or other similar protection and shall give the owner of such Confidential Information prompt notice in order that it have every opportunity to intercede in such process to contest such disclosure and shall use all commercially reasonable efforts to cooperate with the owner of such Confidential Information to protect the confidentiality of such Confidential Information. The owner of such Confidential Information reserves the right to obtain a protective order or otherwise protect the confidentiality of such Confidential Information. Each Party shall be responsible for its own costs with respect to the performance of its obligations under this Section.
- Notification. In the event of any disclosure or loss of Confidential Information, the receiving Party shall notify the disclosing Party as soon as possible.
- Injunctive Relief. Each Party acknowledges that any breach of any provision of this Section by either Party, or its employees, officers, agents, subcontractors, or independent contractors, may cause immediate and irreparable injury to the other Party, and in the event of such breach, the injured Party shall be entitled to seek and obtain injunctive relief to the extent provided by a court of applicable jurisdiction, without bond or other security, and to any and all other remedies available at law or in equity.
- Return of Confidential Information. Unless it is expressly authorized by this Agreement to retain the other Party’s Confidential Information, a Party shall promptly return or destroy, at the other Party’s option, the other Party’s Confidential Information, including materials prepared in whole or in part based on such Confidential Information to the extent containing Confidential Information, and all copies thereof, at the other Party’s request, and an officer of such Party shall certify to the other Party that it no longer has in its possession or under its control any Confidential Information in any form whatsoever, or any copy thereof.
- Confidentiality Agreement. Dentist shall cause its employees, officers, agents, subcontractors and independent contractors to comply with the confidentiality obligations set forth in this Agreement, as such obligations may be amended by the Parties upon mutual written agreement from time to time.
H. WARRANTY AND LIMITATION OF LIABILITY
- Legal Authority; Dentist Content. Each Party represents and warrants to the other Party that: (i) such Party (if Dentist is an entity) is an entity duly organized, validly existing and in good standing under the laws of the state of its incorporation; (ii) such Party has the full and unrestricted power and authority to execute and deliver this Agreement and to carry out the transactions contemplated hereby; and (iii) the performance of such Party’s obligations and duties hereunder does not and shall not conflict with or result in a breach of any other agreement of such Party or any judgment, order, or decree by which such Party is bound. Without limiting the generality of the foregoing, Dentist represents and warrants it has all necessary rights and licenses to post, upload or transmit pictures, videos and other content posted, uploaded or transmitted by Dentist to or through the SmileSIM website.
- Service Warranty. For so long as Dentist is paying the fees owed hereunder, SmileSIM warrants that it shall have and maintain sufficient resources, facilities, capacity and personnel to ensure that the Services shall be performed in accordance with the terms and conditions of this Agreement in a timely, workmanlike and professional manner by qualified personnel. Non-substantial variation of performance from the Documentation does not establish a warranty right.
- Disclaimers. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SOFTWARE, HARDWARE AND THE SERVICES ARE PROVIDED TO DENTIST IN THEIR THEN-EXISTING CONDITION, AS IS, WHERE IS AND WITH ALL FAULTS. DENTIST ACKNOWLEDGES AND AGREES THAT ANY WARRANTIES WITH RESPECT TO HARDWARE SHALL BE LIMITED TO ANY WARRANTIES PROVIDED BY THE ORIGINAL MANUFACTURER OF THE HARDWARE. EXCEPT FOR THE FOREGOING LIMITED WARRANTIES, SmileSIM EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING NON-INFRINGEMENT OF THIRD-PARTY RIGHTS, MERCHANTABILITY, QUIET ENJOYMENT, SATISFACTORY QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE. SmileSIM DOES NOT REPRESENT OR WARRANT THAT THE SOFTWARE, HARDWARE OR ANY SERVICES WILL BE SECURE, UNINTERRUPTED, OR ERROR FREE, OR MEET DENTIST’S EXPECTATIONS, THAT ANY STORED DATA WILL BE ACCURATE OR COMPLETE, OR THAT ANY ERRORS OR DEFECTS IN SOFTWARE OR HARDWARE WILL BE CORRECTED.
- WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, DENTIST ACKNOWLEDGES AND AGREES THAT THE SmileSIM SERVICES, INCLUDING THE BEAUTY CANVAS MORPHING, ARE SOLELY FOR DEMONSTRATION AND ILLUSTRATIVE PURPOSES, AND SHALL NOT BE DEEMED OR IMPLY A REPRESENTATION, WARRANTY OR GUARANTY OF ANY PARTICULAR RESULT OR OUTCOME.
- Internet Delays. THE SOFTWARE AND SERVICES MAY BE SUBJECT TO LIMITATIONS, DELAYS AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. SmileSIM IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS.
- Limitation of Liability. SmileSIM SHALL NOT BE LIABLE TO DENTIST FOR ANY LOST PROFITS, LOST REVENUES OR OPPORTUNITIES, DOWNTIME, OR ANY INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, INDIRECT, OR SPECIAL DAMAGES OR COSTS, RESULTING FROM ANY CLAIM OR CAUSE OF ACTION BASED ON BREACH OF WARRANTY, BREACH OF CONTRACT, NEGLIGENCE (INCLUDING STRICT LIABILITY), OR ANY OTHER LEGAL THEORY, EVEN IF SmileSIM KNEW, OR SHOULD HAVE KNOWN, OF THE POSSIBILITY THEREOF.
- By SmileSIM. SmileSIM shall indemnify, defend and hold Dentist and its employees, officers and agents harmless from and against all liability, claims and costs, including reasonable attorneys’ fees connected therewith, on account of any claims brought by a third-party arising out of: (i) a claim that the Services or Software infringe any intellectual property rights of a third-party; (ii) negligent acts or omissions or intentional misconduct of SmileSIM, or its agents or employees, in connection with the provision of the Services; or (iii) SmileSIM’s violation of any applicable laws.
- By Dentist. Dentist shall indemnify, defend and hold SmileSIM and its employees, officers and agents harmless from and against all liability, claims and costs, including reasonable attorneys’ fees connected therewith, on account of any claims brought by a third-party arising out of: (i) negligent acts or omissions or intentional misconduct of Dentist, its agents or employees, in connection with the Services or Software; (ii) Dentist’s violation of any applicable laws; or (iii) any photographs, videos, text, messages or other content posted, uploaded or transmitted by Dentist at or through the SmileSIM website.
- Mitigation. If the Services or Software become, or in SmileSIM’s opinion are likely to become, the subject of an infringement claim, SmileSIM may, in its sole and exclusive discretion, either (i) procure for Dentist the right to continue to receive the Services or use Software (as applicable), or (ii) replace or modify the Services or Software (as applicable) so that it becomes non-infringing, without materially affecting the functionality thereof. If the alternatives specified in (i) or (ii) above are not commercially reasonable in SmileSIM’s sole and exclusive discretion, then SmileSIM may terminate this Agreement, and Dentist shall receive a pro-rated refund of all initial and one-time set up fees paid by Dentist to SmileSIM for the infringing Services or Software (as applicable) based on a three (3) year depreciation. This Section provides Dentist’s sole and exclusive remedy for any infringement claims based on the Services and Software.
- Indemnity Conditions. A Party’s obligation to indemnify as provided in this Agreement is conditioned upon the Party seeking indemnification (the “Indemnified Party”): (i) promptly notifying the other Party (the “Indemnifying Party”) of the claim in writing, no later than thirty (30) calendar days after the Indemnified Party receives written notice of the claim; (ii) giving the Indemnifying Party the sole control of the defense and any settlement negotiations; provided that, no settlement of a claim that involves a remedy other than the payment of money by the Indemnifying Party shall be entered into without the prior written consent of the Indemnified Party, which consent shall not be unreasonably withheld or delayed; and (iii) the Indemnified Party providing the Indemnifying Party with the information, authority and reasonable assistance the Indemnifying Party needs to defend or settle the claim.
- Export Control. Dentist assumes complete responsibility and liability for complying with applicable United States export laws (including any required notices or clearances to or from government agencies) regarding Software and the performance of the Services, and Dentist shall indemnify, defend and hold SmileSIM harmless from and against any violations of United States export laws.
- Governing Law; Venue; Severability. This Agreement shall be governed, construed and enforced in accordance with the laws of the Commonwealth of Virginia without reference to conflicts of law principles. The Parties agree that the exclusive jurisdiction of any actions arising out of, relating to, or in any way connected with this Agreement, shall be in the state or federal courts, as applicable, located in Arlington, Virginia. In the event that one or more of the provisions herein shall be invalid, illegal or unenforceable in any respect, the validity, legality and enforcement of the remaining provisions shall not be affected or impaired.
- Assignment. Dentist shall not assign this Agreement or any rights or obligations hereunder, without the express written consent of SmileSIM. Any assignment or transfer in violation of the foregoing will be null and void. SmileSIM reserves the right to assign this Agreement to any affiliate or any entity in connection with the sale, combination, or transfer of all or substantially all of the assets or capital stock or from any other corporate form of reorganization by or of SmileSIM. Subject to all of the terms and conditions hereof, this Agreement inures to the benefit of and is binding upon the Parties hereto and their successors and assigns.
- Force Majeure. Any delays in or failure of performance of either Party to this Agreement shall not constitute a default under this Agreement or give rise to any claim for damages to the extent such delays or failure of performance are caused by a force majeure event, including acts of god, fire, flood, explosion, war, terrorism, strikes, or other concerted work stoppages of labor, inability to obtain raw material, equipment or transportation, breakage or failure of equipment or apparatus, or loss of any necessary utility. The time for performance so delayed will be deemed extended for the period of such delay; provided that, in the event the delay extends beyond 30 calendar days, the other Party shall be entitled to terminate this Agreement for cause.
- Waiver. The failure to enforce or the waiver by either Party of one default or breach of the other Party shall not be considered to be a waiver of any subsequent default or breach.
- Survival. Notwithstanding any provisions contained in this Agreement to the contrary, in addition to any provisions which by their express terms survive expiration or termination of this Agreement, or by their nature may reasonably be inferred to have been intended to survive expiration or termination of this Agreement, the following provisions shall survive termination of this Agreement: Sections C.1, E, F, G, H, I, J and the attached Business Associate Addendum.
- Publicity. Subject to the prior review and written approval of Dentist, SmileSIM will have the right to issue a press release announcing the transaction entered into pursuant to this Agreement and disclose to third-parties that Dentist is a customer of SmileSIM.
- Notices. All notices required or permitted hereunder shall be in writing, delivered personally, by facsimile, by certified or registered mail, or by nationally recognized overnight courier (e.g., FedEx) at the Parties respective addresses set forth in the signature lines to this Agreement. All notices shall be deemed effective upon personal delivery; or on the business day following receipt by telephonic facsimile; or when received if sent by certified or registered mail or by overnight courier.
- Remedy. The rights and remedies of the Parties will be cumulative (and not alternative). In the event of any litigation between the Parties relating to this Agreement, the prevailing Party will be entitled to recover its reasonable attorneys’ fees, expert witness fees and court costs from the other Party.
- Entire Agreement. This Agreement constitutes the entire understanding of the Parties with respect to the subject matter hereof, and supersedes all prior and contemporaneous written and oral agreements with respect to the subject matter. No modification of this Agreement shall be binding on either Party unless it is in writing and signed by both Parties.
Business Associate Addendum
The following terms shall have the meaning set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.
- “BAA” means this Business Associate Addendum.
- “Breach” shall have the meaning given under 45 C.F.R. § 164.402.
- “Business Associate” means SmileSIM to the extent that it receives PHI from Covered Entity in connection with the Underlying Agreement.
- “Covered entity” means Dentist
- “Designated Record Set” shall have the meaning given such term under 45 C.F.R. § 164.501.
- “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.
- “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
- “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.
- “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.
- “Services” shall mean the services for or functions on behalf of Dentist performed by SmileSIM pursuant to the Terms of Service Agreement (“Underlying Agreement”).
- “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary.
- “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate’s internal operations, as set forth in 45 C.F.R. § 160.103.
2. OBLIGATIONS OF BUSINESS ASSOCIATE.
- Permitted Uses and Disclosures of Protected Health Information. Business Associate shall not Use or Disclose PHI other than as permitted or required by any Underlying Agreement, this BAA, or as Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so Used or Disclosed by Covered Entity, except that Business Associate may Use or Disclose PHI (i) for the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and shall not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached. Business Associate is not authorized to aggregate the data or to Use the PHI to create de-identified information. To the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
- Adequate Safeguards of PHI. Business Associate shall implement and maintain appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. Business Associate shall reasonably and appropriately protect the confidentially, integrity, and availability of e-PHI that it creates, receives, maintains or transmits on behalf of Covered Entity in compliance with Subpart C of 45 C.F.R. Part 164 to prevent Use or Disclosure of PHI other than as provided for by this BAA.
- Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA.
- Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity in writing each Security Incident or Use or Disclosure that is made by Business Associate, members of its Workforce, or agents or subcontractors that is not specifically permitted by this BAA no later than three (3) business days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident or non-permitted Use or Disclosure of Covered Entity’s PHI that it discovers to determine whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI. Business Associate shall document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 3.(d)(i). Upon request of Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.(d)(ii) below.
- Breach of Unsecured PHI. If Business Associate determines that a reportable Breach of Unsecured PHI has occurred, Business Associate shall provide a written report to Covered Entity without unreasonable delay but no later than thirty (30) calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity shall be in accordance with 45 C.F.R. §164.410(c). Business Associate shall notify individuals, the Secretary, and the media, as applicable, of any Breach of Unsecured PHI, and shall take steps to mitigate the Breach, in accordance with Subpart D of Part 164. Business Associate shall be responsible for the costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach.
- Availability of Internal Practices, Books, and Records to Government. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI received from, or created or received by the Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.
- Access to Protected Health Information. Business Associate shall make the PHI it maintains promptly available to an individual, as required by 45 C.F.R. § 164.524. If Business Associate maintains an Electronic Health Record, Business Associate shall provide such information in the electronic form and format requested by the individual if it is readily reproducible in such form and format, and, if not, in such other form and format agreed in accordance with 45 C.F.R. § 164.524(c)(2).
- Accounting. Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528.
- Use of Subcontractors and Agents. Business Associate shall require each of its agents and subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business Associate, to execute a Business Associate Agreement that imposes on such agents and subcontractors the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to PHI.
- Minimum Necessary. Business Associate (and its agents or subcontractors) shall, to the extent practicable, limits its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder and the Covered Entity’s minimum necessary policies.
3. TERM AND TERMINATION.
- Term. Subject to the provisions of Section 3.(b), the term of this BAA shall be the term of any Underlying Agreement.
Termination for Cause. In addition to and notwithstanding the termination provisions set forth in any Underlying Agreement, upon Covered Entity’s knowledge of a material breach or violation of this BAA by Business Associate, Covered Entity shall either:
(i)Notify Business Associate of the breach in writing, and provide an opportunity for Business Associate to cure the breach or end the violation within ten (10) business days of such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period to the satisfaction of Covered Entity, Covered Entity may immediately terminate this BAA and any Underlying Agreement upon written notice to Business Associate; or
(ii) Upon written notice to Business Associate, immediately terminate this BAA and any Underlying Agreement if Covered Entity determines that such breach cannot be cured
Disposition of Protected Health Information Upon Termination or Expiration.
(i) Upon termination or expiration of this BAA, Business Associate shall destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such PHI, provided that Business Associate shall have the right to copy any of the Medical Records then in their custody, at their own expense to the extent permitted by law and the terms of the Underlying Agreement, or if this BAA is terminated earlier for any reason, return to Covered Entity the physical custody of the PHI in accordance with the terms of the Underlying Agreement
- Amendment to Comply with Law. This BAA shall be deemed amended to incorporate any mandatory obligations of Covered Entity or Business Associate under the HITECH Act and its implementing HIPAA Regulations. Additionally, the Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for Covered Entity to implement its obligations pursuant to HIPAA, the HIPAA Regulations, or the HITECH Act.
- Relationship to Underlying Agreement Provisions. In the event that a provision of this BAA is contrary to a provision of an Underlying Agreement, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of such Underlying Agreement, and shall be considered an amendment of and supplement to such Underlying Agreement, subject to Section 4(c) below.
- Relationship of Parties. Notwithstanding anything to the contrary in any Underlying Agreement, Business Associate is an independent contractor and not an agent of Covered Entity under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.
- Survival. The obligations of Business Associate under Section 3 shall survive termination of this BAA or the Underlying Agreement.