Skip to main content

Provider Services Agreement

Last Updated: June 2024

This PROVIDER SERVICES AGREEMENT (this “Agreement”) is made by and between Persana, Inc., a Delaware corporation (“Persana”), and the individual or entity that this Agreement is associated with (“Provider”). This Agreement is effective as of the date Provider accepts and acknowledges this Agreement (“Effective Date”). Persana and Provider are referred to herein as, separately, a “Party” and, together, as the “Parties.” The terms of this Agreement are in addition to the terms and conditions set forth in the Terms of Use and Privacy Policy, each available at www.persana.com.

Services

1.1 General Services. Persana provides a technology platform (“Platform”) for prospective clients to find, schedule, pay for, and have an introductory audio/video chat session/meeting (“Session”) with physicians and surgeons (“Session Support”). Persana also provides the ability for physicians and surgeons to offer in-person, non-surgical treatments through a structured appointment scheduling process (“Scheduling Support” and, together with Session Support, the “Services”). Provider desires to purchase the Services and be listed on Persana’s website. Provider has the absolute right and full discretion to accept or reject a request from a prospective client for a Session, and shall only accept those prospective clients currently residing in states where Provider is appropriately licensed to provide services, if a license is necessary. The Session does not necessarily establish a client-provider relationship unless Provider determines that such relationship has been established and ensures the Session meets all necessary requirements for a client-provider encounter.

1.2 Billing and Collection.

(a) Support Services. On behalf of Provider, Persana shall bill the client for each Session scheduled through the Platform at a Session rate determined by Provider and provided to Persana, and Persana shall, on behalf of Provider, collect the payment from the client for any Session scheduled through the Platform. Sessions via the Platform will be billed via Stripe, Persana’s third-party service provider for payment services. Persana shall retain as compensation from Provider for the Session Services an amount equal to (i) $50 for Sessions which take the form of text-based chat and (ii) $125 for Sessions which take the form of video (each, a “Service Fee” and, collectively, “Service Fees”) and remit the remainder of the payment for the Session to Provider. On a quarterly basis, Persana shall remit to Provider an amount equal to the aggregate fees collected by Persana on behalf of Provider in the prior calendar quarter, less an amount equal to the sum of (i) the aggregate amount of the Service Fees for the past calendar quarter and (ii) the aggregate amount of refunds provided to clients.

(b) Scheduling Services.

NextPatient: If Provider uses NextPatient to provide their availability for in-person services through the Scheduling Support process and a client thereby schedules an in-person appointment, Provider shall pay to Persana for the Scheduling Support an amount equal to $125 (“Scheduling Fee”) for each scheduled visit. Persana shall bill Provider each month for the Scheduling Fee owed, and Provider shall pay such invoice within 90 calendar days, or Persana shall have the right to offset the Scheduling Fee owed against any amounts collected by Persana on behalf of Provider for Sessions that have not yet been remitted to Provider.

Acuity Scheduling: If Provider uses Acuity Scheduling to provide their availability for in-person services through the Scheduling Support process and a client thereby schedules an in-person appointment, the client will use Stripe to pay a service fee of an amount equal to $125 (“Service Fee”), which Persana will retain. Provider shall reduce the client’s total appointment cost by $125 and the client will pay any balance due to Provider at the physical appointment.

(c) Cancellation Policy. Provider acknowledges and agrees that (i) for in-person services booked through the Scheduling Support process, clients may reschedule or cancel appointments up to 24 hours before the scheduled appointment time by contacting Persana and, upon Persana receiving such request to reschedule or cancel, Persana shall promptly share such information with Provider, (ii) if Provider desires to reschedule or cancel an in-person appointment booked by a client through the Scheduling Process, Provider shall contact Persana and Persana shall communicate with the client accordingly, (iii) it shall not provide or make available to client any change, cancellation, or similar policy, and/or otherwise purport to establish terms between client and Provider with respect to changes and cancellations, and (iv) that Persana’s policy with respect to changes and cancellations, including any refunds, as updated and amended from time to time, shall govern and apply.

(d) Refund. In the event that a client requests a refund for any (A) Session provided by Provider, Persana shall have sole discretion to determine, on behalf of Provider and Persana, whether and how much to refund to the client and, in the event Persana refunds an amount that includes the Service Fee, Persana shall be entitled to either (i) offset the Service Fee owed to Persana against any other amounts Persana collected or may in the future collect on behalf of Provider or (ii) invoice Provider for the applicable Service Fee, and/or (B) in-person appointment scheduled through the Scheduling Support process, Provider shall be responsible for managing the refund request and, irrespective of the Provider’s administration, Persana shall retain and/or be paid the Scheduling Fee or Service Fee, as applicable. Persana and Provider acknowledge that each values client satisfaction and any refund requests shall be considered in accordance with such principle.

1.3 Additional Services. Provider agrees that Persana may, at any time, (i) add new services to the Services for additional fees and charges or (ii) prospectively modify fees and charges for existing Services (including prospectively charging fees for the Services not previously charged for) pursuant to notice to Provider as set forth herein.

Provider Obligations

2.1 Provider Responsibilities.

(a) Except as otherwise provided in this Agreement, Provider, at their own expense, is responsible for procuring all services, hardware, desktop software, and other technology necessary to access and use the Platform and to provide the professional services to their client (including, without limitation, internet access services, data network services, and compliant web browsers).

(b) Provider must maintain all necessary and applicable licenses and credentials and board certifications in good standing and provide services in accordance with applicable law, regulations, and the generally accepted standards of their profession, and will faithfully adhere to all applicable ethical guidelines in order to receive the Services hereunder.

(c) Provider has sole and exclusive control regarding which client they accept and/or provide professional services to, how those professional services are provided (via asynchronous chat, audio/visit Session or in-person) and during what times and days they are available to provide services audio/visit Sessions or in-person services. Providers have the right to refuse in-person services booked through the Scheduling Support process. If a Provider chooses to reschedule or cancel an appointment for any reason, they should contact Persana directly to make the changes in accordance with Section 1.1(c). With respect to direct messages received through the Platform, Provider agrees to respond to direct messages received from client within 72 hours of receipt. In the event Provider does not respond within 72 hours, client may be entitled to a refund in accordance with Section 1.2(d) above.

(d) Provider shall be solely responsible for confirming that they have any licenses necessary to have the Session with the prospective client, taking into account where the prospective client resides.

(e) Provider agrees to provide no less than two (2) hours per calendar month of scheduled clinical practice time with clients on the Platform.

(f) Provider agrees to use reasonable efforts to market, advertise and promote Persana, including the Platform, on and across any and all marketing platforms owned and/or operated by Provider or on Provider’s behalf; provided, however, that Provider shall not be obligated to incur out-of-pocket costs in satisfaction of this subsection. Persana shall provide and/or make available to Provider marketing and promotional materials for use by Provider, as well as guidelines related to promotion best practices. Persana does not represent that any such guidelines are compliant with all applicable laws and regulations, and the entire risk and liability of using such guidelines remains solely and exclusively with Provider.

(g) Provider agrees to use the Platform in good faith and not circumvent the interests of Persana in providing the Services. For example, Provider shall not intentionally or willfully use some or all of the Services to meet prospective clients and then meet with and/or consult with such clients “offline” (i.e., not on the Persana platform) in order to avoid payment of the Service Fee.

(h) Provider agrees Provider is responsible for paying any direct or indirect taxes, including any sales and/or income tax, which may apply to Provider depending on residency, location or otherwise, and Provider further represents and warrants that Provider shall comply, and will comply at all times, with Provider’s obligations under income tax provisions in Provider’s jurisdiction.

2.2 Consents. Provider shall obtain any and all consents necessary to have the Sessions with the prospective client. If Provider uses the Scheduling Support, Provider shall be solely responsible for obtaining any necessary consents from the client, including, if applicable, a consent to use the client’s photographs for marketing purposes.

2.3 Information. Provider agrees to cooperate with Persana and provide Persana, at Persana’s request, any Provider information necessary to use the Platform and/or provide the Services. Such information to be provided by Provider includes, but shall not be limited to, Provider’s (i) license number(s) and state(s) of issuance, (ii) board certifications, (iii) practice address(es), (iv) bank information; (v) procedure list and pricing schedule; and (vi) general hours of availability and cancellation policy. In the event Provider shares updated information with Persana (for example, a new pricing schedule), Persana shall use prompt and reasonable efforts to effect any required action (for example, updating the Platform). Provider acknowledges there may be a reasonable delay in Persana taking action and Persana shall not be responsible for any direct or indirect consequences thereof.

2.4 Accuracy of Account. When creating an account on the Platform, Provider agrees to provide the Platform with information that is accurate, complete, and current at all times with respect to Provider and Provider’s specialties, credentials, practice, and/or business, including, without limitation, truthful, untouched before and after photos of procedures previously carried out. Failure to provide accurate, complete, and current information constitutes a breach of this Agreement, which may result in the immediate termination of this Agreement and Provider’s account on the Platform.

Term

3.1 Term. The term of this Agreement shall commence on the Effective Date and shall continue for one (1) year. Thereafter, this Agreement shall automatically renew for additional terms of one (1) year each unless either Party provides thirty (30) days’ prior written notice to the other Party.

3.2 Termination Without Cause. Either Party may terminate this Agreement without cause upon thirty (30) days’ prior written notice to the other Party.

3.3 Immediate Termination. This Agreement may be terminated immediately:

(a) By either Party due to a material breach of any term or provision of this Agreement by the other Party upon written notice of such breach to the breaching Party;

(b) By Persana if Provider’s license to practice medicine in any jurisdiction lapses or is limited, denied, suspended, revoked, terminated, relinquished (for any reason), or restricted in any way;

(c) By Persana, in its sole discretion, in the event of numerous client complaints or requests for refunds, or a complaint alleging serious misconduct by the Provider; or

(d) By Persana if Provider is arrested or charged with a misdemeanor or felony or is the subject of any investigatory, disciplinary, or other proceeding before any governmental, professional, licensing, or peer review body.

3.4 Effects of Termination. Upon termination of this Agreement for any reason, no Party shall have any further obligation hereunder, except that Persana will be entitled to compensation for the Services rendered through the effective date of termination, and Persana shall continue to pass through payments it collects on behalf of Provider for Provider’s services rendered prior to the effective date of termination. Upon termination of this Agreement, the Parties agree to make reasonable efforts to arrange for all property, Confidential Information, premises, resources, documents, records, and materials to be timely returned to the sole and exclusive control of the Party that provided them, except where retention may be required under the law.

Confidential Information

4.1 Confidentiality. The Parties acknowledge that during the course of this Agreement, each Party (“Receiving Party”) may be given access to or may become acquainted with Confidential Information of the other Party (“Disclosing Party”). In recognition of the foregoing and in addition to any other requirements of confidentiality under applicable law, the Receiving Party hereby agrees not to disclose or use any of the Confidential Information of the Disclosing Party except in connection with the Services rendered hereunder for the term of this Agreement and an additional period of five (5) years thereafter. For purposes of this Agreement, “Confidential Information” means all information disclosed by the Disclosing Party to the Receiving Party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including, without limitation:

(a) With respect to Provider, Provider Data. As used herein, “Provider Data” means the content, information, or other data that Provider processes through, or stores on, the Platform or that they otherwise provide to Persana for the performance of the Services.

(b) With respect to Persana, the terms of this Agreement, pricing, and the Platform and/or Service(s).

(c) With respect to both Parties, any and all information concerning either Party’s business operations, sales pipeline, customers, suppliers, client lists, client files, methods and strategies, know-how, future products or plans, financial information or condition, technology, or prospects, in any form or medium whatsoever (including, without limitation, writings, drawings, and electronically stored information and data), whether or not marked or labeled as “confidential,” including, without limitation, (i) business information and data of the Disclosing Party; (ii) technical information and data or trade secrets of the Disclosing Party; (iii) nonpublic intellectual property of the Disclosing Party (for example, inventions, discoveries, designs, methods, processes, and ideas (whether or not patented or patentable), logos, trade secrets, trade names, trademarks and service marks (whether or not registered), and works of authorship (whether copyrighted or copyrightable)); and (iv) all tangible manifestations (however embodied) of any of the information and data referred to in clauses (i), (ii), and (iii) above (for example, computer software, firmware, scripts or objects, hardware, programmer’s notes, databases, manuals, training manuals and materials, memoranda, reports, drawings, sketches, flowcharts, models, prototypes, files, films, records, and forms).

4.2 Exceptions. The restrictions on use and disclosure of Confidential Information will not apply to information that the Receiving Party can demonstrate (a) is or has become generally known to the public without breach of any obligation owed to the Disclosing Party, (b) was known to the Receiving Party before its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (c) was received from a third party without knowledge of any breach of any obligation owed to the Disclosing Party, (d) was independently developed by the Receiving Party without access to or use of such information, or (e) is required to be disclosed pursuant to a regulation, law, or court order (but only to the minimum extent required to comply with such regulation, law, or order and with advance notice to the Disclosing Party (to the extent legally permitted)). As between the Parties, each Party retains all ownership rights in and to its Confidential Information.

4.3 Business Associate Addendum. Persana is acting as a business associate, as defined by HIPAA, to Provider in performing its obligations with respect to Protected Health Information (as defined under HIPAA) under this Agreement, and, by virtue of agreeing to this Agreement, Persana and Provider agree to comply with the Business Associate Agreement attached as Exhibit A hereto and that is incorporated herein by reference. To the extent any terms and conditions set forth in the Agreement conflict with the terms and conditions set forth in the Business Associate Addendum, the terms and conditions in the Business Associate Addendum will control.

4.4 Survival. The confidentiality obligations of this Section 4 survive expiration or termination of this Agreement.

Intellectual Property

5.1 Persana Intellectual Property.< As between the Parties, Persana retains all ownership rights in any proprietary methodologies, methods, processes, procedures, and other intellectual property of Persana that preexist or were developed inside or outside the scope of this Agreement.

5.2 License to Persana Intellectual Property. Persana grants to Provider a royalty-free, paid-up, nonexclusive, nonassignable, nontransferable, limited license to access and use the Platform and other Persana intellectual property in connection with the Services solely for Provider to deliver professional services using the Platform.

5.3 Use of Materials. Provider grants to Persana a royalty-free, paid-up, nonexclusive, nonassignable, nontransferable, worldwide, limited license to use any and all Provider Data, including the Provider’s likeness, name and logo, for the purposes of marketing the Provider’s use of the Platform and the Services, including the use of such Provider Data on Persana’s various media platforms and in other marketing and communication materials. Provider represents that it has any and all necessary licenses and consents in order for Persana to make use of such Provider Data as described in the preceding sentence.

Insurance

Each Party shall arrange and maintain, with financially sound and reputable insurers, general commercial insurance, cyber/tech insurance, and errors and omissions insurance, in each case, in adequate amounts to cover the obligations and claims or damages for which a Party may be liable under the terms of this Agreement, and to cover each Party’s employees, agents, consultants, subcontractors or other representatives and consistent with industry practice. Without limiting the generality of the foregoing, Provider, at its sole cost and expense, shall have in effect medical malpractice insurance coverage of at least between One Million Dollars ($1,000,000). Upon a Party’s request, the other Party shall provide the requesting Party with with a copy of such policies. The provisions of this Section 6 shall survive the termination or expiration of this Agreement.

Indemnification

7.1 Obligation of Provider. In addition to any indemnification obligations set forth in the Terms of Use, Provider agrees to indemnify and hold harmless and defend Persana and its directors, officers, employees, volunteers, and agents from and against any and all third-party claims, suits, damages, fines, penalties, liabilities, and expenses (including reasonable attorney fees and court costs) resulting from or arising out of any claimed willful or negligent act or omission by Provider or any of their employees, agents, or volunteers pertaining to the use of the Services and provision of professional services, failure to obtain any required consent, use of a client’s photograph for marketing purposes without consent, or any breach of the Agreement by Provider.

7.2 Obligation of Persana. Persana agrees to indemnify and hold harmless Provider and their employees, volunteers, and agents from and against any and all third-party claims, suits, damages, fines, penalties, liabilities, and expenses (including reasonable attorney fees and court costs) resulting from or arising out of any claimed willful or negligent act or omission by Persana or any of its directors, officers, employees, agents, or volunteers pertaining to intellectual property infringement and/or cybersecurity incidents in connection with the Platform or Services. Persana’s aggregate liability for any such intellectual property infringement or cybersecurity incident shall be capped at the aggregate amount of Service Fees received by Persana in respect of the Services provided to Provider in the 12 months prior to such alleged infringement and/or incident. Persana shall not be liable under this section (a) for any settlement of any litigation or proceedings effected without their prior consent and (b) to the extent any claim is based on the gross willful or negligent act or omission of Provider or any of its representatives.

7.3 Other Exclusions. In no event shall either Party be liable to the other Party or any third party for any special, incidental, punitive, exemplary or consequential damages (including loss of use, data, business, revenue or profits) or for costs of procuring substitute services, arising out of or in connection with this Agreement, however caused and regardless of the theory of liability, even if a Party has been advised of the possibility of such damages or if such damages were foreseeable.

7.4 Survival. The provisions of this Section 7 shall survive the termination or expiration of this Agreement.

Disclaimers

8.1 Templates. To the extent that Persana and/or the Platform make available to Provider template forms for Provider’s use, Persana does not represent that such template forms are compliant with all applicable laws and regulations, and the entire risk and liability of using such template forms remains solely and exclusively with Provider.

8.2 Telecommunications. Provider acknowledges that Persana (a) does not control communications with third-party telecommunications providers and (b) will not be responsible for any error or inaccessibility associated with such telecommunications or any violation of law, rule, or regulation applicable to transmission of data via such telecommunications.

8.3 No Practice of Medicine. Notwithstanding anything contained herein to the contrary, Provider shall be exclusively in control of and responsible for all professional services delivered by Provider. Persana shall neither provide professional medical services nor otherwise interfere with the professional judgment of Provider.

Miscellaneous

9.1 Notices. Any notice required or permitted under this Agreement shall be given in writing; if to Persana, then to support@persana.com; if to Provider, at the name and address used by Provider to create an account on the Platform. Notices shall be deemed to have been received upon actual receipt by hand delivery, one (1) business day after being sent by overnight courier service, three (3) business days after mailing by first-class mail, or upon confirmation of receipt in the case of email transmission, whichever occurs first.

9.2 Governing Law. This Agreement shall be governed by, and construed in accordance with, the laws of the state of Delaware applicable to contracts made and performed in that state, without regard to conflicts-of-law principles.

9.3 Waiver. No failure by a Party to insist upon the strict performance of any covenant, agreement, term, or condition of this Agreement shall constitute a waiver of any such breach of such covenant, agreement, term, or condition. No waiver of any breach shall affect or alter this Agreement, but each and every covenant, agreement, term, and condition of this Agreement shall continue in full force and effect.

9.4 Force Majeure. If either of the Parties is delayed in or prevented from fulfilling any of its obligations under this Agreement by Force Majeure, such Party shall not be liable under this Agreement for such delay or failure. “Force Majeure” means any cause beyond the reasonable control of a Party, including, but not limited to, act of God, act or omission of civil or military authorities of a state or nation, fire, strike, flood, riot, war, delay of transportation, or inability due to the aforementioned causes to obtain necessary labor, materials, equipment, or supplies.

9.5 Severability. Whenever possible, each provision hereof shall be interpreted in such manner as to be effective or valid under applicable law, but if any provision (or portion thereof) of this Agreement shall be prohibited by or invalid under applicable law, such provision (or portion thereof) shall be ineffective only to the extent of such prohibition or invalidity without invalidating the remainder of such provision or the remaining provisions of this Agreement.

9.6 Assignment. Neither Party may assign or transfer, in whole or in part, this Agreement or any rights or obligations pursuant to this Agreement without the other Party’s prior written consent. Any such assignment by either Party without consent shall be null and void.

9.7 Amendments. We may update this Agreement upon 30 days’ notice to you. Notice and updates will be available on our website at www.persana.com.

9.8 Entire Agreement. This Agreement, along with any attachments incorporated herein and attached hereto, the Terms of Use, and the Privacy Policy, supersedes all previous contracts, agreements, and understandings, both oral and written, and constitutes the entire Agreement between the Parties.

9.9 Counterparts. This Agreement may be executed in counterparts, which may be exchanged via facsimile or other electronic means, each of which shall be deemed to be an original instrument, and both of which shall constitute one and the same instrument.

9.10 Independent Contractor. The Parties agree that, in providing Services pursuant to this Agreement, each Party is and at all times shall be an independent contractor in relation to the other Party. Nothing contained in this Agreement is intended or shall be construed to create an employer/employee relationship or to allow the Party receiving Services to exercise any control or direction, nor shall such Party have the right to exercise any control or direction, over the methods or manner in which the performing Party performs Services or over the employees used by the performing Party to perform Services.

Exhibit A

HIPAA BUSINESS ASSOCIATE ADDENDUM

This Business Associate Agreement (“BA Agreement”), supplements and is made a part of the Provider Services Agreement (as described below) by and between the individual or entity that the Provider Services Agreement is associated with (“Covered Entity”) and Persana, Inc. (“Business Associate”). This BA Agreement is effective as of the date Covered Entity accepts and acknowledges the Provider Services Agreement (the “Effective Date”). Covered Entity and Business Associate may be referred to herein collectively as the “Parties” or individually as “Party.”

WHEREAS, Covered Entity and Business Associate are parties to a Provider Services Agreement, pursuant to which Business Associate provides certain services to Covered Entity (“Services Agreement”). In connection with Business Associate’s services, Business Associate may create, receive, maintain and/or transmit Protected Health Information (“PHI”) from or on behalf of Covered Entity, which information is subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), and related regulations promulgated by the Secretary (“HIPAA Regulations”).

WHEREAS, in light of the foregoing and the requirements of HIPAA, the HITECH Act, and HIPAA Regulations, Business Associate and Covered Entity agree to be bound by the following terms and conditions.

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

1. Definitions.

Terms used, but not otherwise defined, in this BA Agreement shall have the same meaning given to those terms by HIPAA, the HITECH Act, and HIPAA Regulations as in effect or as amended from time to time.

2. Obligations and Activities of Business Associate.

a. Use and Disclosure. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Services Agreement, this BA Agreement, or as Required By Law. Business Associate acknowledges that this BA Agreement is not between Business Associate and a patient or client. Business Associate shall comply with the provisions of this BA Agreement relating to privacy and security of PHI and all present and future provisions of HIPAA, the HITECH Act, and HIPAA Regulations that relate to the privacy and security of PHI and that are applicable to Covered Entity and/or Business Associate.

b. Appropriate Safeguards. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the HIPAA Security Rule to prevent the use or disclosure of PHI other than as provided for by this BA Agreement or as Required by Law. Without limiting the generality of the foregoing sentence, Business Associate will:

i. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the HIPAA Security Rule; and

ii. Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic protected health information;

c. Reporting. Business Associate agrees to promptly, without unreasonable delay, and at most within thirty (30) business days, report to Covered Entity any of the following:

i. Any use or disclosure of PHI not permitted by this BA Agreement or Services Agreement of which Business Associate becomes aware.

ii. Any successful Security Incident of which Business Associate becomes aware.

iii. The discovery of a Breach of Unsecured Protected Health Information.

A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured Protected Health Information shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during such Security Incident or Breach, as well as any other relevant information regarding the Security Incident or Breach. Any such notice shall be directed to Covered Entity, pursuant to the notice provisions of the Services Agreement, or to the Privacy Officer of Covered Entity. A successful Security Incident shall not include pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

d. Mitigation. Business Associate agrees to take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its employees, officers, Subcontractors, or agents in violation of the requirements of this BA Agreement (including, without limitation, any Security Incident or Breach of Unsecured PHI), or the HIPAA Regulations.

e. Reports and Notices. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA, HIPAA Regulations, the HITECH Act, or any other Federal or State laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.

f. Access and Amendments to Designated Record Sets. Business Associate will not possess or maintain PHI in a Designated Record Set on behalf of the Covered Entity.

g. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity, available to the Covered Entity, or to the Secretary of the United States Department of Health and Human Services, in the time and manner otherwise designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.

h. Accountings. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, HIPAA Regulations and the HITECH Act.

i. Requests for Accountings. Business Associate agrees to provide to Covered Entity or an Individual, within thirty (30) of a request by Covered Entity, information disclosed in accordance with Section 2(a) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, HIPAA Regulations, and the HITECH Act. If an Individual makes a request for an accounting directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity regarding the response to the request.

j. Minimum Necessary. Business Associate agrees to limit its requests for and uses and disclosures of Covered Entity’s PHI to the minimum necessary and comply with any minimum necessary policies and procedures that Covered Entity provides to Business Associate.

3. Permitted Uses and Disclosures by Business Associate.

a. Services Agreement. Except as otherwise limited in this BA Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate HIPAA, HIPAA Regulations, or the HITECH Act if done by Covered Entity, or the minimum necessary policies and procedures of the Covered Entity.

b. Use for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

c. Disclosure for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

d. Data Aggregation and De-Identified Data. Business Associate may use or disclose PHI to provide Data Aggregation services, or to de-identify PHI, except as otherwise limited by HIPAA, HIPAA Regulations, or the HITECH Act. Once information is de-identified, this BA Agreement shall not apply.

4. Permissible Requests by Covered Entity.

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

5. Term and Termination.

a. Term. This BA Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created, received or maintained by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.

b. Termination for Cause. Business associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement. Upon Covered Entity’s knowledge of a material breach by Business Associate of the terms of this BA Agreement, Covered Entity shall either:

i. Provide written notice to Business Associate and provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, Covered Entity shall terminate: (A) this BA Agreement; (B) all of the provisions of the Services Agreement that involve the use or disclosure of PHI; and/or (C) such other provisions, if any, of the Services Agreement as Covered Entity designates; or

ii. Notwithstanding anything contained in the Services Agreement to the contrary, if Business Associate has breached a material term of this BA Agreement and cure is not possible, the Covered Entity may immediately terminate: (A) this BA Agreement; (B) all of the provisions of the Services Agreement that involve the use or disclosure of PHI; and/or (C) such other provisions, if any, of the Services Agreement.

c. Effect of Termination.

i. Except as provided in Section 5(c)(ii), upon termination of this BA Agreement or the Services Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.

ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

6. Miscellaneous.

a. No HIPAA Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Covered Entity and Business Associate for purposes of liability under HIPAA, HIPAA Regulations, or the HITECH Act. No terms or conditions contained in this BA Agreement shall be construed to make or render Business Associate an agent of Covered Entity.

b. Regulatory References. A reference in this BA Agreement to a section in HIPAA, HIPAA Regulations, or the HITECH Act means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.

c. Amendment. The Parties agree to take such action as is necessary to amend the Services Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, the HIPAA Regulations, and the HITECH Act.

d. Interpretation. Any ambiguity in this BA Agreement shall be resolved to permit compliance with HIPAA, HIPAA Regulations, and the HITECH Act.

e. Miscellaneous. The terms of this BA Agreement are hereby incorporated into the Services Agreement. Except as otherwise set forth in Section 6(d) of this BA Agreement, in the event of a conflict between the terms of this BA Agreement and the terms of the Services Agreement, the terms of this BA Agreement shall prevail. The terms of the Services Agreement which are not modified by this BA Agreement shall remain in full force and effect in accordance with the terms thereof. This BA Agreement shall be governed by, and construed in accordance with, the laws of the State of Delaware, exclusive of conflict of law rules. Each Party hereby agrees and consents that any legal action or proceeding with respect to this BA Agreement shall only be brought in the State and County of Los Angeles, California. The Services Agreement together with this BA Agreement constitutes the entire agreement between the Parties with respect to the subject matter contained herein, and this BA Agreement supersedes and replaces any former business associate agreement or addendum entered into by the Parties. This BA Agreement may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or facsimile signatures to this BA Agreement shall be deemed original signatures to this BA Agreement. No amendments or modifications to the BA Agreement shall be effective unless executed by both Parties in writing.