Compumedics USA neXus 360 Subscription Agreement Ts&Cs

Compumedics USA neXus 360 Subscription Agreement

1. Agreement Definitions

“Acquisition Software” means any native software included as part of the applicable neXus 360 subscription that is separately licensed and/or made available to You by Compumedics.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
“Ancillary Software” means any software agent or tool that Compumedics makes available to You for the purposes of facilitating Your access to, operation of, and/or use with, the Services Environment.
“Compumedics Hosted” means Compumedics provides You with access to neXus 360 in a Compumedics’ hosted environment, together with applicable Support Services for neXus 360, but excludes technical service and support activities attributable to the Compumedics hardware installed at Your site, if applicable, or the training of staff as it relates to the hardware.
“Compumedics Programs” refers to the software products owned, licensed or sub-licensed by Compumedics to which Compumedics grants You access as part of neXus 360, including Program documentation, and any program updates provided to You as part of neXus 360. Third-party licensed technologies not owned by Compumedics are subject to the terms of their respective sub-licenses although the terms of this Agreement control the relationship between You and Compumedics.
“Compumedics Services” means any Support Services or Professional Services provided by Compumedics to You.
“Configuration” means the configuration of software, hardware, and services to be provided to You as set out in the applicable Order Document.
“Customer Hosted” means You (rather than Compumedics) are providing all data centre hardware and third party Programs (server(s), storage, backup services, and network communication appliances) that will host neXus 360.
“Data Center Region” means the geographic region in which the Services Environment is physically located, as indicated in an applicable Order Document.
“De-Identified Data” refers to Protected Health Information that has had removed all elements that could be used to identify the individual or the individual’s relatives, employer, or household members for which that data is associated. Typically, this applies to Protected Health Information, but could apply to other portions of Your Content under the
terms of this Agreement.
“Invoice Period” means the period (e.g., monthly or annually) as indicated in the Order Document for which Compumedics will invoice You for the Services provided.
“neXus 360” means the Compumedics commercial software solution known as neXus 360, offered on a Compumedics Hosted or Customer Hosted subscription basis, with the components listed in the applicable Order Document.
“Order Document” means a document executed by Compumedics and You that provides for the purchase and delivery of Services under this Agreement and specifies Your Configuration.
“Party” means a party to this Agreement.
“Professional Services” means any services (such as implementation services, training, consulting and termination services) other than neXus 360 and Support Services that are to be provided by or on behalf of Compumedics to You pursuant to an Order Document or statement of work.
“Program” means computer software.
“Protected Health Information” means individually identifiable health information as defined in 45 C.F.R. § 160.103 of the Health Insurance Portability and Accountability Act (“HIPAA”).
“Recording Device” means a hardware platform offered by Compumedics for the purpose of recording physiological data.
“Service Specifications” means the descriptions that are applicable to the Services provided under an Order Document, including any hosting, support and security policies, and other descriptions referenced or incorporated in that Order Document.
“Services” means, collectively, neXus 360, Support Services, and Professional Services.
“Services Environment” means e i t h e r ( a ) the combination of hardware and software components owned, licensed or managed by Compumedics to which Compumedics grants You and Users access as part of neXus 360 which You have specified in Your Configuration, or (b) the infrastructure used to deliver the services (i.e., network, hardware, operating system and web-based applications), up until where the Internet Protocol data packets leave the data center either via a private or public connection.
“Services Period” refers to the period of time for which You have ordered Services as specified in an Order Document.
“Site(s)” means Your medical facility(ies) at which Studies are conducted or initiated.
“Study” means a multi-parametric test of physiological activity in a human being.
“Subscription Fee” means the Compumedics Hosted Professional Fee or Compumedics Hosted Enterprise Fee (as applicable).
“Support Services” means those support services provided by Compumedics as set forth on Appendix A.
“Term” is defined in Section 2.
“Third Party Content” means all text, files, images, graphics, illustrations, information, data, audio, video, photographs and other content and material, in any format, that are obtained or derived from third party sources outside of Compumedics and made available to You through, within, or in conjunction with Your use of, neXus 360. Examples of Third-Party Content include data feeds from social network services, feeds from blog posts, data libraries and dictionaries and marketing data.
“Users” means those employees, contractors, and persons, as applicable, authorized or permitted by You to use neXus 360 in accordance with this Agreement and the applicable Order Document. When Your instance of neXus 360 is specifically designed to allow Your clients, agents, customers, suppliers or other persons to access neXus 360 to interact with You, such third parties will be considered
“Users” subject to the terms of this Agreement and the applicable Order Document. This specifically includes patients and other persons to whom You are offering clinical services.
“Your Content” means all text, files, images, graphics, illustrations, information, medical data (including Protected Health Information), audio, video, photographs and other material, in any format, provided by You, Users or on behalf of Users that reside in, or run on or through, the Services Environment.

2. Term of Agreement

This Agreement remains in force until expiration or termination of the last Order Document entered into under this Agreement (“Term”)

3. Order Documents

3.1. Compumedics shall make each of the Services ordered by You pursuant to an Order Document available to You under the terms of this Agreement. No Order Document is binding until executed by both Parties and is binding regardless of any references to other template forms. Although You may submit a purchase order as part of Your internal procurement processes, the binding agreement for such orders is the Order Document signed by both Parties and any such Order Document will form part of this Agreement.
3.2. neXus 360 is made available to You on a subscription basis for the Services Period designated on an Order Document at the fees set forth on the Order Document.
3.3. Order Documents for neXus 360 will set forth Your Configuration.
3.4. At Your option, and depending on the Study acquisition hardware selected, neXus 360 may be offered either as Compumedics Hosted or Customer Hosted. The Order Document will indicate the hosting type corresponding to this Agreement.
3.5. An Order Document may be referenced for any purchase that increases the quantity of the original Services ordered under that Order Document, and for any Compumedics Services options offered by Compumedics for the original Services and applies to any renewal (including automatic renewal) of the Services Period of the original Order Document.

4. Rights Granted

4.1. For the duration of the applicable Services Period under an Order Document, and except as otherwise set forth in this Agreement or the Order Document, You and Users may access and use neXus 360 solely for Your internal business operations. You acknowledge that Compumedics Hosted neXus 360 is offered as a hosted solution, and that You have no right to obtain a copy of the underlying computer code as part of neXus 360. You may allow Users to use the Services for this purpose and You are responsible for Users’ compliance with this Agreement.
4.2. You do not acquire under this Agreement any right or license to use neXus 360, including the Compumedics Programs and Services Environment, in excess of the scope and/or duration of the Services stated in the applicable Order Document.
4.3. To enable Compumedics to provide You and Users with the Services, You grant Compumedics the right to (a) use, process and transmit, in accordance with this Agreement and the applicable Order Document, Your Content for the duration of the applicable Services Period plus any additional post-termination period during which Compumedics provides You with limited access to retrieve and export files of Your Content; and (b) access Your Content for the purposes of providing the Services stated in Your Order Document. You acknowledge that this access may be from outside the Data Center Region. Such access shall be limited to direct Compumedics employees or affiliates that are authorized to do so and are bound by an appropriate privacy agreement.
4.4. Except as otherwise expressly set forth in the applicable Order Document, You acknowledge that Compumedics has no obligation to deliver physical copies of Compumedics Programs or sub-licensed third-party programs or technology and shall not ship copies of such programs to You as part of the Services.
4.5. You grant Compumedics the right to (a) use and disclose De-Identified Data for research purposes, and (b) use, share or sell aggregated De-Identified Data with partners or the public for the improvement of the algorithms used in the Services or for providing additional services. This includes copying, transmitting, and processing the De-Identified Data for these purposes. When Compumedics provides this information, Compumedics will take legal and technical measures to ensure that the data does not identify You or any associated party and cannot be associated back to You.

5. Ownership and Restrictions

5.1. You retain all ownership and intellectual property rights to Your Content while acknowledging the rights granted above.
5.2. Compumedics and its licensors retain all ownership and intellectual property rights to the Services, including Compumedics Programs, and derivative works thereof, and to anything developed for, or delivered by or on behalf of Compumedics under this Agreement.
5.3. You shall not, and shall not cause or permit others to:

5.3.1. Remove, modify, or conceal any Program markings or any notice of Compumedics’ or its licensors’ proprietary rights;
5.3.2. Make the Programs or materials resulting from the Services (excluding Your Content) available in any manner to any third party for use in the third party’s business operations (unless such access is expressly permitted for the specific Services for which You have contracted);
5.3.3. Modify, make derivative works of, disassemble, decompile, reverse engineer, reproduce, distribute, republish or download any part of neXus 360 (the foregoing prohibitions include but are not limited to review of data structures or similar materials produced by Programs), or access or use neXus 360 in order to build, disassemble, decompile, reverse engineer, reproduce, distribute, republish, approximate or support, and/or assist a third party in building, disassembling, decompiling, reverse engineering, reproducing, republishing, approximating, or supporting, products or services providing the same or similar functionality to neXus 360 or Compumedics’ Services;
5.3.4. Disclose any benchmark or performance tests of neXus 360 ;
5.3.5. Perform or disclose any of the following security testing of the Services Environment or associated infrastructure: network discovery, port and service identification, vulnerability scanning, password cracking, remote access testing, or penetration testing; or
5.3.6. License, sell, rent, lease, transfer, assign, distribute, host, outsource, permit timesharing or service bureau use, or otherwise commercially exploit or make available neXus 360, Compumedics Programs, Ancillary Software, Services Environments or Compumedics materials to any third party, other than as expressly permitted under the terms of the applicable Order Document.

5.4. Your rights under Section 5 of this Agreement are conditional upon You making every reasonable effort to prevent unauthorized parties from accessing the Services.

6. Software and Service Specifications

6.1. Any Acquisition Software supplied by Compumedics is subject to, and provided on the conditions set out in, the Compumedics’ End-User License Agreement, where this exists.
6.2. The Services are subject to and governed by the Configuration as detailed in the applicable Order Document.
6.3. Your Configuration defines anticipated loading applicable to neXus 360, types and quantities of system resources (such as storage allotments), as well as any Services deliverables. You acknowledge that use of neXus 360 in a manner not consistent with the Configuration may adversely affect neXus 360 performance. If Your Configuration of neXus 360 permits You to exceed the anticipated loading (e.g., number of Recording Devices), then You are responsible for notifying Compumedics within 30 days of exceeding the anticipated loading. Compumedics may require You to pay, in addition to the fees for the additional quantity, an additional provisioning fee for those Services.
6.4. The Services specified in Your Order Document set forth the fees associated with the use of neXus 360 for conducting and initiating Studies at Your Site(s). However, neXus 360 will also allow You to upload and store additional non-Compumedics data (such as pictures, electronic documents, etc.) to the patient(s) file as Your Content. The total size of these ancillary files should be ≤ 1Gb and Compumedics reserves the right to invoice You additional storage charges should the capacity of these files become higher than 1Gb.
6.5. Compumedics provides a fully-maintained Services Environment for Compumedics Hosted neXus 360.
6.6. Compumedics may make changes or updates to either or both neXus 360 and the Support Services (such as infrastructure, security, technical configurations, application features, etc.) during the Term, including to reflect changes in technology, industry practices, patterns of system use, and availability of Third Party Content. These changes or updates are at Compumedics’ discretion; however, Compumedics’ changes to neXus 360 or the Support Services will not result in a material reduction in the level of performance, security or availability of neXus 360 for the duration of the applicable Services Period.
6.7. Your Configuration will specify the Data Center Region in which the Services Environment will reside. For Compumedics Hosted neXus 360, Compumedics provides production and backup environments in the Data Center Region as stated in the Order Document. You and Compumedics shall agree upon any pre-production test environment for the Services. Compumedics and its Affiliates may perform worldwide certain aspects of providing neXus 360, such as service administration, support, and disaster recovery, as well as other Services (including analysis, scoring and reporting), from locations and/or through use of subcontractors.

7. Use of the Services

7.1. You are responsible for identifying and authenticating all Users, for approving access by Users to neXus 360, for controlling against unauthorized access to neXus 360, and for maintaining the confidentiality of usernames, passwords and account information. By federating or otherwise associating Your and Users’ usernames, passwords and accounts with Compumedics, You accept responsibility for the confidentiality and timely and proper termination of User records in Your local (intranet) identity infrastructure or on Your local computers. Compumedics is not responsible for any harm caused by Users or individuals who were not authorized to have access to the Services but who were able to gain access because usernames, passwords or accounts were not terminated on a timely basis in Your local identity management infrastructure or Your local computers. You are responsible for all activities that occur under Your and Users’ usernames, passwords or accounts or as a result of Your or Users’ access to neXus 360, and shall notify Compumedics immediately of any unauthorized use or access. You shall make every reasonable effort to prevent unauthorized third parties from accessing neXus 360.
7.2. You shall not use or permit use of the Services, including by uploading, emailing, posting, publishing or otherwise transmitting any material, or submit Your Content or Third Party Content, for any purpose that may (a) threaten or harass any person or cause damage or injury to any person or property, (b) involve the publication of any material that is false, defamatory, harassing or obscene, (c) violate privacy rights or promote bigotry, racism, hatred or harm, (d) constitute unsolicited bulk e-mail, “junk mail”, “spam” or chain letters; (e) constitute an infringement of intellectual property or other proprietary rights, or (f) otherwise violate applicable laws, ordinances or regulations. In addition to any other rights afforded to Compumedics under this Agreement, Compumedics reserves the right, but has no obligation, to take remedial action if any material violates the restrictions in the foregoing sentence, including the removal or disablement of access to such material. Compumedics shall have no liability to You if Compumedics takes such action. You shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all of Your Content. You shall defend and indemnify Compumedics against any claim arising out of a failure by You to complete Your obligations under this Section.
7.3. You are required to accept all patches, bug fixes, updates, maintenance and service packs (collectively, “Patches”) necessary for the proper function and security of neXus 360, including for the Compumedics Programs, as such Patches are generally released by Compumedics. Compumedics is not responsible for performance or security issues encounter with neXus 360 that result from Your failure to accept the application of Patches. Except for emergency or security related maintenance activities, Compumedics will coordinate with You the scheduling of application of Patches, where possible, based on Compumedics’ next available standard maintenance window.
7.4. You shall obtain at Your sole expense any rights and consents from third parties necessary for Your Content, and Third Party Content, as well as other vendor’s products provided by You that You use with neXus 360, including such rights and consents as necessary for Compumedics to perform the Services under this Agreement.
7.5. You shall provide Compumedics with all information, access and full good faith cooperation reasonably necessary to enable Compumedics to provide the Services and You shall perform the actions identified in each applicable Order Document as Your responsibilities.
7.6. You remain solely responsible for Your regulatory compliance in connection with Your use of the Services. You are responsible for making Compumedics aware of any technical requirements that result from Your regulatory obligations prior to entering into this Agreement and any Order Document. Compumedics shall cooperate with Your efforts to determine whether use of the standard neXus 360 offering is consistent with those requirements. Additional fees may apply to any additional work performed by Compumedics or changes made to the Services to address Your regulatory obligations.

8. Fees, Taxes, Payment and Interest

8.1. Beginning on the Start Date of the Service Period specified in the Order Document and continuing thereafter for each Invoice Period during the Services Period of the Order Document, Compumedics shall invoice You at the rate set forth on the applicable Order Document. Unless otherwise agreed in an Order Document or statement of work, Professional Services are provided on a time and materials basis at Compumedics’ then current rates. You may receive multiple invoices for the Services specified in an Order Document. Invoices will be submitted to You pursuant to Compumedics’ Invoicing Policy, which may be requested at any time. You shall ensure the timely delivery of any purchase orders Your policies may require; however, Your payment obligations commence as stated in the applicable Order Document regardless of receipt by Compumedics of Your purchase order. All fees are stated in U.S. dollars unless otherwise specified in an Order Document.
8.2. All fees set forth in an Order Document exclude any sales, value-added or similar taxes that may apply under local, state or federal law (“Sales Taxes”). You shall pay any Sales Taxes based on Your use of the Services, except for taxes based on Compumedics’ income. Compumedics shall invoice Sales Taxes as incurred and such amounts will be identified separately on the invoice. The Parties shall provide and make available to the other any resale certificates, information regarding out-of-state sales or use of equipment, materials or services, and any other exemption certificates or information requested by a Party.
8.3. All invoiced fees payable to Compumedics are due within 30 days from invoice date. All fees are non-cancellable and non-refundable, except as provided in this Agreement.
8.4. Compumedics reserves the right to change fees, at any time following the first year of Services under an Order Document, by providing You with 30 day’s advance written notification.
8.5. Late payments due to Compumedics under this Agreement will incur interest at the rate of 18% per annum calculated daily or at the maximum rate legally permissible under applicable law. Interest will be calculated from the date payment was due until the date payment is made in full, with all payments first being applied to interest and then to principal. You shall pay to Compumedics reasonable legal costs incurred by Compumedics in collecting any overdue payment.

9. Services Period and Termination of Services

9.1. Services (other than Professional Services) shall be provided for the Services Period defined in the applicable Order Document, unless earlier suspended or terminated in accordance with this Agreement. If stated in the Order Document, certain Services will renew automatically for additional Services Periods of equal time unless You provide Compumedics with written notice of non-renewal no later than 60 days prior to the end of the applicable Services Period.

9.2. Upon termination of an Order Document providing for neXus 360, You no longer have rights to access or use neXus 360, or the associated Compumedics Services and Services Environment(s).Within 60 days after the end of the applicable Services Period, Compumedics shall make Your Content available in the form of a secure encrypted storage device that will be sent to, and must be signed for at, Your designated address. At the end of such 60-day period, and except as may be required by law, Compumedics shall delete or otherwise render inaccessible any of Your Content that remains in the Services Environment and certify, in writing to You, that Your Content has been destroyed or rendered inaccessible. Your signature for the delivery of the encrypted storage device will be proof to Compumedics that you have received all of the Content You are legally required to keep and that You allow Compumedics to keep Your Content that is legally required by it without legal recourse by You.

9.3. Compumedics may temporarily suspend Your password, account, and access to or use of neXus 360 if You or Users materially violate any provision of Sections 4 (Rights Granted), 5 (Ownership and Restrictions), 7 (Use of the Services), 8 (Fees, Taxes, Payment and Interest), or 17 (Export) provisions of this Agreement, or if in Compumedics’ reasonable judgment, neXus 360 or any component thereof is about to suffer a significant threat to security or functionality. Compumedics shall provide advance notice to You, if possible, of any such suspension in Compumedics’ reasonable discretion based on the nature of the circumstances giving rise to the suspension. Compumedics shall use reasonable efforts to re-establish the affected Services promptly after Compumedics determines, in its reasonable discretion, that the situation giving rise to the suspension has been remedied however, during any suspension period, Compumedics shall make available to You Your Content as existing in the Services Environment on the date of suspension. Compumedics may terminate the Services under this Agreement if any of the foregoing causes of suspension is not remedied within 30 days after Compumedics’ initial notice thereof. If the temporary suspension was due to Your violation of this Agreement, any suspension or termination by Compumedics under this Section 9.3 shall not excuse You from Your obligation to make payment(s) under this Agreement and Compumedics shall charge You a re-establishment fee equal to one month’s minimum invoice obligation under each affected Order Document.

9.4. If either Party breaches a material term of this Agreement and fails to correct the breach within 30 days of written notice of the breach, then the breaching Party is in default and the non-breaching Party may terminate this Agreement. If Compumedics terminates this Agreement as set out under this provision, You must pay (within 30 days) all amounts that have accrued prior to such termination, as well as all sums remaining unpaid for the Services under such Order Document, plus related taxes and expenses. Except for non-payment of fees, the non-breaching Party may agree in its sole discretion to extend the 30-day cure period for so long as the breaching Party continues reasonable efforts to remedy the breach. If You are in default under this Agreement, You may not use the Services.

9.5. The following Sections survive the expiration or termination of this Agreement: 5.2, 8 (to the extent fees are due and owing), 9.2, 9.5, 10, 13, 14, 16, 20, 21, 22, and 25, as well as any others that by their nature are intended to survive.

10. Nondisclosure

10.1. Under this Agreement, the Parties may have access to information that is confidential to each Party or collectively (“Confidential Information”). Each Party shall disclose only information that is required for the performance of that Party’s obligations under this Agreement. Confidential information means the terms and pricing under this Agreement, Your Content residing in the Services Environment, the Services and all intellectual property embodied therein, and all information reasonably identifiable as confidential at the time of disclosure by the disclosing Party.
10.2. A Party’s Confidential Information does not include information that: (a) is, or becomes, a part of the public domain through no act or omission of the other Party; (b) was in the other Party’s lawful possession prior to the disclosure and had not been obtained by the other Party either directly or indirectly from the disclosing Party; (c) is lawfully disclosed to the other Party by a third party without restriction on the disclosure; or (d) is independently developed by the other Party.
10.3. Neither Party shall disclose the other Party’s Confidential Information to any third party for a period of three years from the date of the disclosing Party’s disclosure of the Confidential Information to the receiving Party; however, Compumedics shall hold Your Confidential Information that resides within the Services Environment in confidence for as long as such information resides in the Services Environment. As an exception to the foregoing, each Party may disclose Confidential Information to those employees, agents or subcontractors who are required to protect it against unauthorized disclosure in a manner no less protective than required under this Agreement. Protected Health Information will be processed in accordance with the terms of Section 11 below. Nothing shall prevent either Party from disclosing the terms or pricing under this Agreement or Configuration details under this Agreement in any legal proceeding arising from or in connection with this Agreement or from disclosing the Confidential Information to a governmental entity as required by law.

11. Protected Health Information

11.1. As between Compumedics and You, (a) You are the sole and exclusive owner of all Protected Health Information made available to Compumedics under this Agreement, (b) You possess the exclusive right and jurisdiction to control the use of such Protected Health Information, and (c) the disclosure of any Protected Health Information by Compumedics for any purpose not authorized under this Agreement or the Business Associate Agreement is prohibited.
11.2. Each of Compumedics and You shall comply with all applicable privacy laws and regulations regarding all data collected or received by it. The Business Associate Agreement attached hereto as Appendix B applies to Compumedics’ receipt, maintenance or transmission of Protected Health Information from, or on behalf of You.

12. Warranties, Disclaimers and Exclusive Remedies

12.1. Compumedics warrants that it shall perform the Services in all material respects as described in this Agreement and each Order Document then in effect and Compumedics Hosted neXus 360 will be available at least 95% of the time, except for and not including scheduled downtime (for which Compumedics shall provide You with 48 hours’ advance notice), Your misuse of the Services, failure of Your internet connectivity, or Your failure provide appropriate hardware. If the Services provided to You were not performed as warranted, You must promptly provide written notice to Compumedics that describes the deficiency in the Services.
12.2. Compumedics does not guarantee that (a) the Services will be performed error-free or uninterrupted, or that Compumedics will correct all errors; (b) neXus 360 will operate in combination with Your Content, or with any other hardware, software, systems, services or data not provided by Compumedics; or (c) the Services will meet Your requirements, specifications or expectations. You acknowledge that Compumedics does not control the transfer of data over communications facilities, including the internet, and that the Services may be subject to limitations, delays, and other problems inherent in the use of such communications facilities. Compumedics is not responsible for any delays, delivery failures, or other damage resulting from such problems beyond its control. Compumedics is not responsible for any issues related to the performance, operation or security of the Services that arise from Your Content or Third Party Content.
12.3. For any breach of the Services warranty, Your exclusive remedy and Compumedics’ entire liability shall be the correction of the deficient Services that caused the breach of warranty, or, if Compumedics cannot substantially correct the deficiency within 30 days, You may end the deficient Services and Compumedics shall refund to You the fees for the terminated Services that You pre-paid to Compumedics for the period following the effective date of termination.
12.4. EXCEPT AS EXPRESSLY PROVIDED HEREIN TO THE CONTRARY, THE SERVICES (AND ALL RELATED SOFTWARE, HARDWARE, AND DOCUMENTATION) ARE PROVIDED “AS IS” AND “AS AVAILABLE”, AND, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, COMPUMEDICS DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, PERFORMANCE, ACCURACY, NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. COMPUMEDICS DOES NOT WARRANT UNINTERRUPTED OR ERROR-FREE OPERATION OF ANY MACHINES, SOFTWARE, PRODUCTS, OR SERVICES, ANY DEFECT OR MALFUNCTION IN THE SERVICES IS CORRECTABLE OR WILL BE CORRECTED, OR THAT ANY SERVICES WILL BE MODIFIED OR IMPROVED.
12.5. THE SERVICES ARE A SUPPLEMENT TO YOUR CORE OBLIGATION TO PROVIDE CARE AND TREATMENT FOR YOUR PATIENTS. COMPUMEDICS DOES NOT ASSUME LONG-TERM RESPONSIBILITY FOR THE MEDICAL CARE OF ANY PATIENT.

13. Limitation of Liability

13.1. Compumedics shall not be liable under any circumstances for any act or omission relating to medical or nursing care provided by You or Your personnel, and nothing in this Agreement shall be construed as making Compumedics, its owners, officers, agents and/or employees, legally liable to any third party for Your acts or omissions or those of Your directors, officers, agents and or employees, including acts or omissions relating to the medical care and or the professional medical judgment provided to Patients.
13.2. Except for claims arising from a Party’s (a) breach of Sections 5 (Ownership and Restrictions) or 10 (Nondisclosure), (b) infringement, misappropriation or other violation of the other Party’s intellectual property rights, or (c) indemnification obligations under Section 14 (Indemnification), neither Party shall be liable for any indirect, incidental, special, punitive, or consequential damages, or any loss of revenue or profits (excluding fees under this Agreement), data, or data use. Except in regards to damages arising from breach or violation of Sections 4 (Right Granted), 5 (Ownership and Restrictions), 10 (Nondisclosure), or 14 (Indemnification), or solely in the case of You and Your Affiliates, Your breach of any of the payment obligations under this Agreement, each Party’s aggregate liability for all damages arising out of, or related to, this Agreement or an Order Document, whether in contract or tort, or otherwise, is limited to the total amount actually paid to Compumedics for the Services in the 12 months immediately preceding the event giving rise to the claim, less any refunds or credits received by You from Compumedics.

14. Indemnification

14.1. Subject to the terms of this Section 14 (Indemnification), if a third party makes a claim against either You or Compumedics that any information, design, specification, instruction, software, service, data, hardware, or material (collectively, “Material”) furnished by either You or Compumedics (“Provider,” which refers to You or Compumedics depending on which Party provided the Material) and used by You or Compumedics (“Recipient,” which refers to You or Compumedics depending upon which Party received the Material) infringes the third party’s intellectual property rights, Provider, at Provider’s sole cost and expense, shall defend Recipient against the claim and indemnify Recipient and Recipient’s affiliates, officers, directors, members, shareholders, employees, and agents from the damages, liabilities, costs and expenses awarded by the court to the third party claiming infringement or the settlement agreed to by Provider, if Recipient does the following:

14.1.1. Notifies Provider promptly in writing, not later than 30 days after Recipient receives notice of the claim (or sooner, if required by applicable law);
14.1.2. Gives Provider sole control of the defence and any settlement negotiations; and
14.1.3. Gives Provider the information, authority and assistance Provider needs to defend against or settle the claim.

14.2. If Provider believes or it is determined that any of the Material may have violated a third party’s intellectual property rights, Provider may choose to either modify the Material to be non-infringing (while substantially preserving its utility or functionality) or obtain a license to allow for continued use, or if these alternatives are insufficient, Provider may end the license for, and require return of, the applicable Material and refund any unused, prepaid fees Recipient may have paid to the other Party for such Material. If such return materially affects Compumedics’ ability to meet its obligations under the relevant Order Document, then Compumedics may, at its option and upon 30 days’ prior written notice, terminate the Order Document. If such Material is third party technology and the terms of the third party license do not allow Compumedics to terminate the license, then Compumedics may, upon 30 days’ prior written notice, terminate the Services associated with such Material and refund to You any unused, prepaid fees for such Services.
14.3. Provider has no obligation to indemnify Recipient if (a) Recipient alters the Material or uses it outside the scope of use identified in Provider’s user or program documentation or the applicable Order Document, (b) Recipient uses a version of the Material that has been superseded, if the infringement claim could have been avoided by using an unaltered current version of the Material which was made available to Recipient, (c) Recipient continues to use the applicable Material after the expiration or termination of the license to use that Material, or (d) an infringement claim is based upon any information, design, specification, instruction, software, service, data, hardware or material not furnished by Provider. Compumedics shall not indemnify You for any portion of an infringement claim that is a result of (i) the combination of any Material with any products or Services not provided by Compumedics (ii) use of Third Party Content or any Material from a third party portal or other external source that is accessible or made available to You within or by neXus 360 (e.g., a social media post from a third party blog or forum, a third party Web page accessed via a hyperlink, marketing data from third party data providers, etc.), (iii) Your actions against any third party if the Services as delivered to You and used in accordance with the terms of this Agreement would not otherwise infringe any third party intellectual property rights, or (iv) any intellectual property infringement claim(s) known to You at the time Services rights are obtained.
14.4. This Section 14 provides the Parties’ exclusive remedy for any infringement claims or damages.

15. Service Tools and Ancillary Software

15.1. Compumedics may use tools, scripts, software, and utilities (collectively referred to as the “Tools”) to monitor and administer the Services and to help resolve Your service requests. The Tools will not collect or store any of Your Content residing in the Services Environment, except as necessary to provide the Services or troubleshoot service requests or other problems in the Services. Information collected by the Tools (excluding Your Content) may also be used to assist in managing Compumedics’ product and service portfolio, to help Compumedics address deficiencies in its product and service offerings, and for license and Services management.
15.2. Compumedics may provide You with on-line access to download certain Ancillary Software for use with the Services. If Compumedics licenses Ancillary Software to You and does not specify separate terms for such Ancillary Software, then, subject to Your payment obligations, (a) You have the non-exclusive, non- assignable, worldwide limited right to use such Ancillary Software solely to facilitate Your access to, and use of the Services Environment, subject to the terms of this Agreement and the Order Document, (b) Compumedics shall maintain such Ancillary Software as part of the Services, and (c) Your right to use such Ancillary Software will terminate upon the earlier of Compumedics’ notice or the end of the Services associated with the Ancillary Software. If Ancillary Software is licensed to You under separate third party license terms, then Your use of such software is subject solely to such separate terms. Compumedics is not responsible for updating, maintaining, or in any other way servicing Your separate third-party license software, unless any such services are included in the Order Document.

16. Service Analyses

Compumedics may (a) compile statistical and other information related to the performance, operation and use of the Services, and (b) use data from the Services Environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses (a) and (b) are collectively t h e “Service Analyses”). Compumedics may make Service Analyses publicly available; however, Service Analyses must contain completely De-Identified Data. Compumedics retains all intellectual property rights in Service Analyses.

17. Export

17.1.U.S. export laws and regulations and any other relevant non – U.S. export laws and regulations apply to the Services. Such export laws govern Your use of the Services (including technical data) and any Services provided under this Agreement, and You shall comply with all such export laws and regulations (including “deemed export” and “deemed re-export” regulations). You shall ensure that no data, information, software programs or materials resulting from Services (or direct product thereof) is exported, directly or indirectly, in violation of these laws, or is used for any purpose prohibited by these laws, including nuclear, chemical, or biological weapons proliferation, or development of missile technology.
17.2. You acknowledge that neXus 360 is designed with capabilities for You and Users to access the Services Environment without regard to geographic location and to transfer or otherwise move Your Content between the Services Environment and other locations such as User workstations. Except to the extent that action is taken by Compumedics, You are solely responsible for the authorization and management of User accounts, as well as export control and geographic transfer of Your Content.

18. Force, Majeure and Backup Obligations

18.1. Compumedics shall, in accordance with the provisions of this Section 18, maintain or cause to be maintained disaster avoidance procedures designed to safeguard Your Content and Your other Confidential Information, Compumedics’ processing capability and the availability of the Services, in each case throughout the Term and at all times in connection with its actual or required performance of the Services hereunder. The force majeure provisions of Section 18.5 will not limit Compumedics’ obligations under other provisions of this Section 18.
18.2. For neXus 360 Services that are Compumedics Hosted, Compumedics shall simultaneously maintain a mirror system at a hardened data center facility (“Secondary Backup Facility”) within the Geographic Region specified in the applicable Order Document, and within that region it will be geographically remote from the primary system on which Your Content is hosted. Except for its location and housing facility, the mirror system will: (a) be identical in all respects to the primary system; (b) have hardware and software, network connectivity, power supplies, backup generators and other similar equipment and services that operate independently of the primary system; (c) have backups as per Section 18.3; and (d) have the ability to provide neXus 360 in accordance with this Agreement and the Service Specifications during the performance of routine and remedial maintenance or any outage or failure of the primary system. Compumedics shall operate, monitor and maintain such mirror system so that it may be activated promptly after any failure of the Services and be intended to resume continuation of services within 24 hours.
18.3. For neXus 360, Compumedics shall conduct or have conducted daily backups of Your Content and store such backup of Your Content at the Secondary Backup Facility. No backup of Your Content is counted in allotting or calculating any data storage actually used or permitted to be used by You or any associated payment or fee.
18.4. Throughout the Term, Compumedics shall maintain a Business Continuity and Disaster Recovery Plan (the “Plan”), and implement such Plan in the event of any unplanned interruption of neXus 360 to resume continuation of services within 24 hours, if practical under the circumstances. Compumedics shall actively test, review and update the Plan on at least an annual basis using industry best practices.
18.5. Neither Party shall be responsible for failure or delay of performance if caused by: an act of war, hostility, terrorism, civil disobedience or disturbance, or sabotage; act of God; pandemic or epidemic; electrical, internet, or telecommunication outage that is not caused by the affected Party; government restrictions (including the denial or cancelation of any export, import or other license); or other event outside the reasonable control of the affected Party. Both Parties shall use reasonable efforts to mitigate the effect of a force majeure event, including Compumedics providing You with access as reasonably practicable to Your Content hosted at the Secondary Backup Facility. If such event continues for more than 30 days, either Party may cancel unperformed Services and the affected Order Document(s) and Compumedics Services upon written notice.

19. Assignment

You shall not assign this Agreement or give or transfer the Services (including the Compumedics Programs) or an interest in them to another party. If You grant a security interest in any portion of the Services, the secured party has no right to use or transfer the Services or any deliverables.

20. Miscellaneous

20.1. Compumedics is an independent contractor and no partnership, joint venture, or agency relationship exists between the Parties. Each Party is responsible for paying its own employees, including employment-related taxes and insurance. Compumedics business partners and other third parties, including any third parties with which Compumedics has an integration or that are retained by You to provide consulting or implementation services or applications that interact with the Services are independent of Compumedics and are not Compumedics’ agents. Compumedics is not liable for, bound by, or responsible for any problems with the Services or Your Content arising due to any acts or omissions of any such business partner or third party, unless the business partner or third party is providing Services as a Compumedics subcontractor on an engagement ordered under this Agreement and, if so, then only to the same extent as Compumedics would be responsible for Compumedics resources under this Agreement.
20.2. If any provision or term of this Agreement is found to be invalid or unenforceable, the remaining provisions will remain effective and such term will be replaced with another term consistent with the purpose and intent of this Agreement.
20.3. Except for actions for non-payment, or breach of either Party’s proprietary rights, no action, regardless of form, arising out of or relating to this Agreement may be brought by either Party more than two years after the cause of action has accrued as evidenced by the written record.
20.4. Compumedics may audit Your use of the Services (e.g., through use of software tools) to assess whether Your use of the Services is in accordance with an Order Document and the terms of this Agreement. You shall cooperate with Compumedics’ audit and provide reasonable and timely assistance and access to information. Any such audit will not unreasonably interfere with Your normal business operations. You shall pay within 30 days of written notification any fees applicable to Your use of the Services in excess of Your rights. If You do not pay, Compumedics may terminate the applicable Services, the Order Document, or this Agreement. Compumedics shall not be responsible for any of Your costs incurred in cooperating with the audit.
20.5. The purchase of neXus 360 subscriptions, or other service offerings, programs or products are all separate offers and separate from any other agreement. You understand that You may purchase neXus 360, Professional Services, or other service offerings, programs, or products independently of any other agreement. Your obligation to pay under any agreement is not contingent on performance of any other service offerings or delivery of programs or Products.

21. Governing Law and Jurisdiction

This Agreement is governed and construed in accordance with the laws of the State of North Carolina, excluding its conflict of laws principles. The Parties consent to the sole and exclusive jurisdiction in the state or federal courts in North Carolina as the sole and exclusive venue and jurisdiction for any disputes that arise out of or relates to this Agreement. The Parties waive any objections to such exclusive jurisdiction and venue. The Parties disclaim the applicability of the United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act.

22. Equitable Relief

The Parties acknowledge that any violation of Sections 4 (Rights Granted), 5 (Ownership and Restrictions), 7 (Use of Services), or 10 (Nondisclosure) would result in irreparable injury to the non-breaching Party for which no adequate remedy at law may be available. Accordingly, each Party consents to the issuance of an injunction prohibiting any conduct in violation of any of those Sections and agrees that the existence of any claim a Party may have against the other Party, whether or not arising from this Agreement, will not constitute a defence to the enforcement of any of those Sections.

23. Entire Agreement

This Agreement, its appendices, and the information which is incorporated into this Agreement by written reference, together with the applicable Order Document, is the complete agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements or representations, written or oral, regarding its subject matter. In the event of a conflict, the provisions of an Order Document will take precedence over provisions of the rest of this Agreement. This Agreement may be amended only by a written instrument signed by both Parties. This Agreement is binding upon and inures to the benefit of the Parties and their respective successors and permitted assigns. Except as specifically set forth in this Agreement, this Agreement does not create any rights in or obligations to any third parties.

24. Interpretation

The Section headings in this Agreement are for identification purposes only and will not affect the interpretation of this Agreement. Unless business days are specified, all references to “days” means calendar days and the word “including” means “including without limitation.”

25. Notice

Any notice required or permitted under this Agreement must be in writing, signed by the authorized representative of the Party giving it, and served to the addresses indicated on the cover page hereto (or to such other addressee as may be later designated by written notice) by personal delivery, recognized overnight courier service, or by the United States mail, first-class, certified or registered, postage prepaid, return receipt requested. All such notices will be effective when received, but in no event later than three days after mailing.

26. Counterparts

This Agreement may be executed in counterparts (including by electronic transmission), each of which when executed and delivered will be an original.

Appendix A: neXus 360 Support Services

This Appendix outlines Support Services solely relating to neXus 360. Compumedics’ support services (including preventative maintenance) for associated hardware and/or software (and their associated warranties) are covered by separate Compumedics’ service agreements and Compumedics Standard Terms and Conditions of Sale.

The neXus 360 fees cover the following Support Services only:

Web-based Access to Compumedics ProFusion PSG/EEG data files or ProDigi data files
Server maintenance and scalability (Compumedics servers only)
Data storage (Compumedics servers only)
Subsequent software updates for neXus 360 and ProFusion EEG/PSG and ProDigi software (dependent on hardware compatibility with acquisition systems, video cameras, etc.)

Service Inclusions in neXus 360

Phone, Email and Web-based support related to neXus 360 interface only (24/7 and within 24 hours, excluding weekends)
Access to neXus 360 Interface*
Archiving of data (Compumedics servers only)
Data Backups (Compumedics servers only)*
Free-of-charge updates to neXus 360, ProFusion PSG and ProFusion EEG and ProDigi*
Trouble-shooting for any issues arising from the neXus 360 interface only*
*As it pertains to meeting Compumedics’ obligations under the neXus 360 Subscription Agreement.

neXus 360 Response Times

Description of Business Impact	Response Times	Expected Customer Response
Priority Severity Level P1: Issue has severe impact on Services Environment with loss and degradation of services.	Mission Critical: < 1 hr. Updates thereafter within 1 hour Compumedics Support Team may at its discretion decrease the Priority to level P2.	Issue demands an immediate response, and support committed to a resolution or alternate solution(s) are enabled reasonable. Updates provided until final resolution.
Priority Severity Level P2: Issue has moderate impact to Your business with loss and degradation of services.	High: < 2 hr. Updates thereafter within 4 hours Compumedics Support Team may at its discretion decrease the Priority to level P3.	Compumedics provides workarounds that are enabled reasonable. Updates provided until final resolution.
Priority Severity Level P3: Issue has minimum impact to Your business with minor impediment of services.	Standard: < 24 hr. Updates thereafter within 24 hours	Compumedics provides Updates until final resolution.

Service Exclusions in neXus 360 Support Services

Installation and/or Training
Equipment/Hardware warranty and/or service (including third party devices, cameras, PCs & on-site servers, if applicable)
Preventative maintenance (e.g., defragmenting, database back up and archiving)
Consumables and Accessories
Freight charges
On-site trouble-shooting/service for neXus 360\
Any pre-existing issues related to concurrent neXus (Client/Server) installations

Appendix B: Business Associate Agreement

This Business Associate Agreement (“Agreement”) is entered into by and between [Customer Name] (“Covered Entity”) and Compumedics, USA Inc. (“Business Associate”) and is made a part of that certain service agreement or services agreements between the parties (“Services Agreement”) pursuant to which Business Associate provides services to Covered Entity that involves the creation, receipt, maintenance, or transmission of Covered Entity PHI.

This Agreement is intended to comply with the requirements for business associate agreements under the HIPAA Rules, as defined below, and is to be construed to achieve compliance with those requirements. If applicable, to the extent that the terms of this Agreement conflict with any provisions of the Services Agreement having to do with the use and disclosure of PHI, the terms of this Agreement will control.

1. Agreement Definitions
1.1. Capitalized terms used, but not otherwise defined in this Agreement, have the same meaning as those terms in the “HIPAA Privacy Rule” (the “Standards for Privacy of Individually Identifiable Health Information”), which is codified at 45 C.F.R. Parts 160, subpart A, and 164, subparts A and E, as amended from time to time; the “HIPAA Security Rule” (the “Security Standards for the Protection of Electronic Protected Health Information”), which is codified at 45 C.F.R. Parts 160, subpart A, and 164, subparts A and C, as amended from time to time; and the “HIPAA Breach Notification Rule” (the “Breach Notification for Unsecured Protected Health Information”), which is codified at 45 C.F.R. Parts 160, subpart A, and 164, subpart D (collectively, the “HIPAA Rules”).
1.2. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended.
1.3.“Protected Health Information” or “PHI,” as used in this Agreement, has the meaning set forth in 45 C.F.R. § 160.103, limited to information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the performance of the services under the Services Agreement.
1.4. “Electronic PHI” as used in this Agreement means (subject to the definition provided at 45 C.F.R. § 160.103) PHI, as limited above, that is transmitted or maintained in any Electronic media.

2. Uses and Disclosures Permitted by HIPAA
2.1. Business Associate may use or disclose PHI as necessary to provide the services to Covered Entity described in the Services Agreement.
2.2. When requesting, using, or disclosing PHI, Business Associate will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request consistent with and to the extent required by the HIPAA Rules.
2.3. Business Associate may not use or further disclose the information in a manner that would violate the requirements of the HIPAA Privacy Rule if done by Covered Entity, except that Business Associate may use and disclose PHI for the proper management and administration of Business Associate, to carry out the legal responsibilities of Business Associate consistent with the provisions of 45 C.F.R. §§ 164.504(e)(4)(i) and (ii) to de-identify PHI for Data Aggregation services. Business Associate may disclose PHI for its proper management and administration, or to carry out its legal responsibilities, only if: (a) the disclosure is required by law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
2.4. Business Associate will not use or further disclose PHI other than as permitted or required by this Agreement or as required by law.

3. Safeguards
3.1. Business Associate warrants that it will use appropriate administrative, technical, and physical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement, to protect the confidentiality, integrity, and availability of Electronic PHI, and to address any Breaches of Unsecured PHI, in accordance with the HIPAA Rules.
3.2. Business Associate shall comply with applicable requirements of the HIPAA Security Rule.

4. Mitigation
Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

5. Reporting
5.1. Business Associate shall report promptly to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware.
5.2. Business Associate shall report to Covered Entity’s Privacy Officer any suspected or known Security Incident under the HIPAA Security Rule of which it becomes aware, without unreasonable delay and in no case later than five (5) days after the Security Incident is (or exercising reasonable diligence should have been) discovered. The current contact information for Covered Entity’s Privacy Official is set forth in Attachment 1. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity will be required. “Unsuccessful Security Incidents” include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
5.3. In the event of a Breach of Unsecured PHI, Business Associate shall report the information required by 45 C.F.R. § 164.410 without unreasonable delay and in no case later than five (5) days after the Breach is discovered or deemed discovered under that section. Business Associate will cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity’s legal obligations in connection with the Breach. Business Associate will provide Covered Entity with information necessary about a Breach of Unsecured PHI in order for Covered Entity to comply with its obligations under 45 C.F.R. Part 164, Subpart D.

6. Subcontractors
Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on Business Associate’s behalf agrees in writing to the same (or no less protective of Covered Entity) restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

7. Availability of PHI, Amendments, and Account of Disclosures
7.1. Business Associate will provide access to PHI in a Designated Record Set at the written request of Covered Entity within fifteen (15) days to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524 as reasonably interpreted by Covered Entity. Business Associate may impose a reasonable cost-based fee for the provision of copies of PHI in a Designated Record Set in accordance with 45 C.F.R. 164.524(c)(4). If an Individual makes a request directly to Business Associate for access to PHI in a Designated Record Set, within fifteen (15) days Business Associate will forward to Covered Entity both the Individual’s request and the PHI at issue, to allow Covered Entity to provide access to the Individual in accordance with 45 C.F.R. § 164.524. If the information is maintained electronically, Business Associate will make the information available to Covered Entity in an electronic format, if and as requested by Covered Entity. For purposes of this Agreement, the terms “written” or “in writing” include facsimile, email, or similar method of electronic communication.
7.2. Business Associate will make PHI in a Designated Record Set available to Covered Entity within thirty (30) days of Covered Entity’s written request, to the extent required (as reasonably interpreted by Covered Entity) for amendment, and incorporate any amendments, to PHI in accordance with 45 C.F.R. § 164.526, which describes the requirements applicable to an Individual’s request for an amendment to PHI. If an Individual makes a request directly to Business Associate for an amendment to PHI in a Designated Record Set, within fifteen (15) calendar days Business Associate will forward the Individual’s request to Covered Entity, and will make the PHI at issue available to incorporate any amendment(s) in accordance with 45 C.F.R. § 164.526.
7.3. Business Associate will make PHI and information related to disclosures of PHI by Business Associate available to Covered Entity upon written request to the extent required (as reasonably interpreted by Covered Entity) to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528, which describes the requirements applicable to an Individual’s request for an accounting of disclosures of PHI relating to the Individual. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate must maintain, and within fifteen (15) calendar days of any written request from Covered Entity for an accounting of disclosures of PHI with respect to an identified Individual, provide to Covered Entity information including the following with respect to any disclosure for which an accounting is
required: (a) the date of the disclosure, (b) the name, and if known address, of the individual or entity to which it was disclosed, (c) a brief description of the PHI disclosed, and (d) a brief statement of the purpose of the disclosure or copy of the written authorization or request authorizing it.
7.4. If an Individual makes a request directly to Business Associate for an accounting of disclosures of PHI, within fifteen (15) calendar days Business Associate will forward to Covered Entity both the Individual’s request and the applicable information described above.

8. HHS Access
If Business Associate receives a request, made on behalf of the Secretary, that Business Associate make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Rules, then Business Associate will promptly notify Covered Entity, unless prohibited by law, and comply with the request. Nothing in this section may be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information.

9. Term and Termination; Return or Destruction of PHI
9.1. This Agreement will terminate (a) when either party terminates the Agreement due to the other party’s material breach, or (b) when the Services Agreement terminates or expires, whichever occurs first.
9.2. Either party may terminate this Agreement and the Services Agreement by written notice to the other if the other party materially breaches this Agreement and does not promptly cure such breach of the Agreement after receiving notice thereof from, and within the timeframe specified by, the first party (or cure is not feasible).
9.3. Upon termination of this Agreement for any reason, if feasible, Business Associate will return or destroy (at Covered Entity’s discretion) all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate or any of Business Associate’s Subcontractors still maintain in any form and retain no copies of such information. If the parties agree that return or destruction is not feasible, and thus Business Associate must retain some amount of PHI, Business Associate will extend the protections of this Agreement to the PHI retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. Business Associate will return or destroy retained PHI (at Covered Entity’s direction), as soon as practicable, as soon as reasonably practicable upon it becoming feasible to do so. For purposes of this section, at Covered Entity’s direction, Business Associate’s return of PHI may be made to another business associate acting on Covered Entity’s behalf. This paragraph will survive termination or expiration of this Agreement.

10. Obligations of Covered Entity
10.1. Covered Entity represents and warrants that it has the right and authority to disclose PHI to Business Associate for Business Associate to perform its obligations and provide services to Covered Entity, and Covered Entity will not request Business Associate to use or disclose PHI in any manner that would violate HIPAA, other applicable laws or Covered Entity’s privacy notice, if done by Covered Entity.
10.2. The Covered Entity will provide Business Associate with the notice of privacy practices applicable to Covered Entity as required by 45 C.F.R. § 164.520, and thereafter notify Business Associate of any changes to that notice if those changes affect Business Associate’s permitted or required uses and disclosures. Business Associate acknowledges that, as of the date of execution of this Agreement, Covered Entity has provided its notice of privacy practices to Business Associate in accordance with this subsection.
10.3. The Covered Entity will provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose his or her PHI, if those changes affect Business Associate’s permitted or required uses and disclosures.
10.4. The Covered Entity will notify Business Associate, in writing, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 if those changes affect Business Associate’s permitted or required uses and disclosures.
10.5. To the extent required under the HIPAA Rules, Covered Entity will request from Business Associate only the minimum PHI necessary for Business Associate to perform or fulfill a specific function required or permitted hereunder.

11. Indemnification
The provisions of the Services Agreement regarding indemnification and indemnification procedures apply to any damages, taxes, penalties, fines, costs, losses, and liabilities that arise out of or relate to this Agreement. This section will survive termination or expiration of this Agreement.

12. Miscellaneous
12.1. To the extent Business Associate carries out obligations of Covered Entity under the HIPAA Rules, Business Associate shall comply with the applicable provisions of the HIPAA Rules as if such performance were carried out by Covered Entity.
12.2. This Agreement is intended for the sole benefit of Business Associate and Covered Entity and does not create any third party beneficiary rights, except to the extent that the Privacy Rule validly requires the Secretary to be a third party beneficiary to this Agreement.
12.3. This Agreement cannot be amended except by the mutual written agreement of the parties.
12.4. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a party believes in good faith that any provision of the Agreement fails to comply with the then-current requirements of the HIPAA Rules, and notifies the other party of that belief in writing, the parties will address in good faith those concerns and will amend the terms of this Agreement within thirty (30) days, if necessary to bring it into compliance. If after such period the Agreement fails to comply with the HIPAA Rules, with respect to the concern(s) raised pursuant to this paragraph, then either party will have the right to terminate this Agreement upon written notice to the other.
12.5. Any ambiguity in this Agreement will be resolved in a manner that is compliant with applicable law, including 45 C.F.R. Parts 160, 162, and 164.
12.6. This Agreement supersedes and replaces any and all previous Business Associate Agreements or amendments between Covered Entity and Business Associate.
12.7. Business Associate’s obligations under this Agreement will survive the termination of the Agreement.