Health Information Services Provider (HISP) Services
Agreement,
Provider Directory Data Sharing Agreement,
and Business Associates Agreement
Effective August 25, 2020
THIS HEALTH INFORMATION SERVICE PROVIDER (HISP)
SERVICES AGREEMENT (the “Agreement”) is made and entered into the effective
date by and between iShare Medical, LLC (“iShare Medical”), a
Missouri limited liability company, and Covered Entity (“Subscriber”).
WHEREAS, iShare is a health information services
provider (“HISP); and
WHEREAS, iShare
Medical is a DirectTrust Accredited Trust Anchor HISP and DirectTrust Network
Service Provider; and
WHEREAS, iShare Medical is Accredited HISP Privacy
and Security by the Electronic Healthcare Network Accreditation Commission
(“EHNAC”); and
WHEREAS, iShare Medical provides HISP services and
other related services described more fully herein, including the facilitation
of Direct Messages (as defined below) and attachments thereto which may contain
protected health information, to individuals and organizations; and
WHEREAS, Subscriber desires to engage iShare
Medical to provide HISP services and other related services to Subscriber and
iShare Medical desires to provide such services in accordance with the terms
and conditions specified herein.
WHEREAS, Subscriber will appoint a Trusted Agent (“Trusted
Agent”) who will be responsible for providing collection of information and
confirmation of authorized users in the Subscribers organization.
NOW THEREFORE, in consideration of the recitals
above and the terms and conditions more particularly set forth below, the
parties do hereby agree as follows:
ARTICLE I
ENGAGEMENT
1.1
Engagement. Subscriber hereby engages iShare Medical on
an independent contractor basis, and iShare Medical accepts such engagement, to
provide HISP and other related services (the “Services”) as described in Section 1.2 hereof, in accordance with
the terms and conditions of this Agreement.
1.2
Services. iShare Medical will provide the following Services
to Subscriber:
1.2.1
iShare Medical shall provide identity verification
services for individuals and organizations through itself or its
EHNAC-accredited Registration Authority (“RA”)
and verify the identity of the individual or organization to the level of
verification assurance necessary to facilitate secure information exchange;
1.2.2
iShare Medical shall provide digital certificate
issuance, management and revocation services through itself or its
EHNAC-accredited Certificate Authority (“CA”). The Direct Certificate is issued in
accordance with DirectTrust’s direct protocol and will be issued to and identify
the Subscriber or another individual or organization;
1.2.3
iShare Medical shall assign domains and unique iShareID
Direct Addresses (“Direct Addresses”)
for accounts to Subscribers and other individuals and organizations in
adherence with the Direct Project, which is a nationwide project to specify a
simple, secure, scalable, standards-based way for participants to send
authenticated, encrypted health information directly to known, trusted
recipients over the Internet;
1.2.4
iShare Medical shall use the Direct Addresses to
send and receive secure Direct Messages and attachments thereto from Subscriber
that may contain patient medical records and other protected health information. “Direct
Messages” are secure messages sent between trusted Direct Certificate
holders or other trusted parties;
1.2.5
iShare Medical shall store and maintain digital
certificates and associated private keys to protect the confidentiality of
protected health information;
1.2.6
iShare Medical shall provide software tools to
establish a direct account for Subscriber to allow authorized individuals and
organizations access to its Direct Messages and attachments thereto; and
1.2.7
iShare Medical shall provide data hosting for
Subscriber for Direct messages and attachments.
ARTICLE II
OBLIGATIONS OF SUBSCRIBER
2.1
HIPAA Compliance. Prior to disclosing or transmitting any
protected health information to iShare Medical pursuant to this Agreement, if
applicable, Subscriber shall ensure that it has obtained a valid authorization
from an individual or an individual’s representative or is otherwise permitted
to use or disclose an individual’s protected health information under the
Health Insurance Portability and Accountability Act of 1996 and the regulations
promulgated thereunder at 45 CFR Parts 160 and 164 (collectively “HIPAA”) in accordance with this
Agreement. Subscriber acknowledges that, due to the provision of certain services
hereunder, iShare Medical is Subscriber’s business associate, as that phrase is
defined under HIPAA. Thus, Subscriber
and iShare Medical have entered into a Business Associate Agreement, attached
hereto as Exhibit C.
2.2 Payment. Subscriber shall timely pay iShare Medical
for its Services in accordance with Section 4.1 hereof.
ARTICLE III
TERM AND TERMINATION
3.1 Term. The initial Agreement term shall be for one
year (the “Initial Term”) commencing
on the Effective Date, defined below, subject to earlier termination of this
Agreement pursuant to Section 3.2 hereof.
The “Effective Date” means
the date in which the Subscriber agrees to this Agreement, unless the parties
agree otherwise in writing. This
Agreement shall automatically renew for successive one (1) year renewal terms
(each a “Renewal Term”) unless
either party gives written notice at least thirty (30) days prior to the
expiration of the Initial Term or the then current Renewal Term of an intention
not to renew. The Initial Term and any
Renewal Term(s) are referred to collectively as the “Term.”
3.2 Termination. Either party may terminate this Agreement for
cause in the event of a material breach by the other party. In such case, the terminating party must give
written notice to the other party specifying in reasonable detail the claimed
breach. The other party shall have
thirty (30) days following receipt of such notice in which to cure the
breach. If the claimed breach is not so
cured within such period, the non-breaching party shall have the right, but not
the obligation, to immediately terminate this Agreement.
ARTICLE IV
COMPENSATION
4.1 Compensation
for Services. In exchange for
the Services described herein, Subscriber shall pay iShare Medical the fees set
forth in Exhibit A at the time of purchase hereto (the “Fees”). iShare Medical shall
automatically charge the Subscriber monthly for the Fees and any overages that
apply. Subscriber shall automatic pay
the amount due via reoccurring credit card.
Subscriber’s failure to pay the full amount of any invoice within such
thirty (30) day period will be considered a material breach hereof and iShare
Medical may, at its option and in addition to all other remedies available to
iShare Medical hereunder, including termination of this Agreement, deactivate
Subscriber’s accounts until such time as payment is made in full or a payment
arrangement has been mutually agreed upon by both parties.
ARTICLE V
INDEPENDENT CONTRACTOR
5.1 Independent
Contractor Status. The
relationship of the parties hereunder is solely that of independent
contractors. Nothing herein is intended
to, nor shall it be construed to, make either party the employee, agent or
servant of the other for any purpose whatsoever.
ARTICLE XI
INDEMNIFICATION/LIMITATION
OF LIABILITY
6.1 Indemnification. Subscriber will indemnify and defend iShare
Medical and its officers, directors, managers, members, employees and
representatives against all claims and damages, including expenses and reasonable
attorneys' fees ("Claim")
to the extent arising out of its use or disclosure of protected health
information hereunder.
6.2 Limitation of Liability.
In no event will iShare Medical be liable for any special, indirect,
incidental or consequential damages in connection with or related to the
Services. Liability of iShare Medical
for claims related to this Agreement, whether in contract, tort or otherwise,
will not exceed the fees paid by the Subscriber for the Services to which the
claims relate.
ARTICLE
VII
NOTICE
7.1 Notices. All notices required or permitted to be given
under the terms of this Agreement shall be in writing, and shall be effective
upon delivery if delivered to the addressee in person, effective three (3)
business days after mailing if mailed by certified mail, postage prepaid,
return receipt requested, or effective the next business day if delivered by
overnight courier with charges prepaid, as follows:
If to iShare Medical: iShare
Medical, LLC
3150 Mercier, Suite 608A
Kansas City, Missouri 64111
Attn: Linda Van Horn, MBA
If to Subscriber: Subscribers
Trusted Agent
ARTICLE VIII
CONFIDENTIAL
INFORMATION/INTELLECTUAL PROPERTY
8.1 Confidential
Information. All business, proprietary,
financial, legal, and personal information disclosed by iShare Medical, either
intentionally or unintentionally, to Subscriber in connection with this
Agreement shall be held in strict confidence and shall not be disclosed by Subscriber
without the prior written consent of iShare Medical. For purposes of this Agreement, confidential
information shall not include protected health information, as defined for
purposes of HIPAA. Subscriber shall not
use any information gained as a result of this Agreement to the competitive
disadvantage or in any other way detrimental to iShare Medical. Subscriber shall not, during or after the
Term, disclose such confidential and proprietary information of iShare Medical,
or trade secrets of iShare Medical, to any other firm, person, corporation,
association or other entity for any reason or purpose whatsoever, or use such
information for Subscriber’s own benefit, without the prior written consent of iShare
Medical, unless otherwise required to disclose such by law, in which case Subscriber
shall immediately notify iShare Medical thereof. This Section shall survive the expiration or
termination of this Agreement for any reason.
8.2 Names, Logos, Marks.
Neither party shall use the name, logos, or marks of the other party
without such party’s prior written consent, except that Subscriber may use
iShare Medical’s name, logos, or marks to indicate that it may share
information hereunder and iShare Medical may use Subscriber’s name, logos, or
marks to identify it as a user of iShare Medical’s services. This Section shall survive the expiration or
termination of this Agreement for any reason.
8.3 Intellectual Property.
Each party shall retain all right, title and interest in all of its own
Intellectual Property and all elements and derivative works thereof, whether or
not developed in conjunction with the other party, and whether or not protected
or protectable. Notwithstanding the
foregoing, the parties agree that iShare Medical shall own any new Intellectual
Property that it develops pursuant to this Agreement, whether such development
is at the request of Subscriber or otherwise.
For purposes hereof, “Intellectual Property” means (a) copyrights, (b)
issued patents and patentable inventions, processes, methodologies, and
procedures, (c) trade secrets and know-how, (d) trademarks or service marks,
(e) moral rights, and (f) applications for registration or protection of any of
the foregoing. This Section shall
survive the expiration or termination of this Agreement for any reason.
ARTICLE IX
MISCELLANEOUS
9.1 Recitals. The recitals are true and correct and are
incorporated herein in their entirety.
9.2 Dispute Resolution. The parties agree to make all reasonable
efforts to resolve any and all disputes between them in connection with this
Agreement in an amicable manner.
9.3 Assignments.
Neither party may assign its rights or duties hereunder without the
prior written consent of the other party; provided, however, that iShare
Medical, at its discretion, may use one or more vendors or contractors to
fulfill its obligations hereunder.
9.4 Publicity. In
accordance with Section 8.2 above, iShare Medical may use Subscriber’s name in
press releases, product brochures, financial reports, and other marketing
materials indicating that Subscriber is a customer of iShare Medical.
9.5 Force Majeure.
Failure of iShare Medical to perform its obligations under this
Agreement will not subject iShare Medical to any liability to Subscriber if
such failure is caused by acts of God, legal restrictions, transportation
conditions, materials shortages, supplier delays, riot, sabotage, communication
losses or interruptions, embargo, strikes or any other cause beyond the
reasonable control of iShare Medical.
Such an occurrence or interruption shall not constitute a breach of this
Agreement or vest in Subscriber any right of damage, cancellation or
rescission. iShare Medical will resume
the performance of its obligations as soon as practicable after the force
majeure event has ceased.
9.6 Entire Agreement.
This Agreement supersedes all previous contracts or agreements between
the parties with respect to the same subject matter and constitutes the entire
Agreement between the parties hereto.
9.7 Governing Law.
This Agreement shall be construed and governed by the laws of the State
of Missouri. Any action or claim arising
from, under or pursuant to this Agreement shall be brought in the courts, state
or federal, within Kansas City, Missouri, and the parties expressly waive the
right to bring any legal action or claims in any other courts. The parties to this Agreement hereby consent
to venue in any state or federal court within Kansas City, Missouri for all
purposes in connection with any action or proceeding commenced between the
parties hereto in connection with or arising from this Agreement.
9.8 Severability.
In the event that any provision hereof is found invalid or
unenforceable, the remainder of this Agreement shall remain valid and
enforceable according to its terms.
9.9 Amendments.
This Agreement may be amended only by an instrument in writing signed by
the parties hereto.
9.10 Changes in Law or Interpretation of Law. The parties recognize that this Agreement at
all times is subject to applicable federal, state and local laws. The parties further recognize that this
Agreement shall be subject to amendments in and changing interpretations of
such laws and regulations and to possible new legislation as well. Should any provision of law (including
existing law) invalidate, or otherwise be inconsistent with, the terms of this
Agreement or cause one or both of the parties to be in violation of a material
law, the parties shall exercise their bests efforts to negotiate an amendment
to this Agreement so as to comply with such law, while maintaining the terms
and intent of this Agreement to the greatest extent possible consistent with
the requirements of law. If a party reasonably
requests an amendment to this Agreement pursuant to this Section and such
amendment is not negotiated within thirty (30) days, or sooner if required by
law, following notice of one party to the other that the Agreement or any
portion thereof is invalid or inconsistent with applicable law, the party
requesting the amendment may terminate this Agreement.
9.11 Counterparts.
This Agreement may be executed simultaneously in two or more
counterparts, each of which shall be deemed an original, but all of which
together shall constitute one and the same instrument.
iShare Medical
Provider Directory Data Sharing Agreement
Last Revised August 25, 2020
THIS PROVIDER DIRECTORY DATA SHARING AGREEMENT (the
“Agreement”) is made and entered into by and between iShare Medical,
LLC (“iShare Medical”), a Missouri limited liability company, and
the person or entity who is identified pursuant to Section 2.1 hereof and
agrees to the terms set forth herein by electronic signature (referred to
herein as “Subscriber”.
WHEREAS, iShare is a health information services
provider (“HISP); and
WHEREAS,
iShare Medical is a DirectTrust Accredited Trust Anchor HISP and DirectTrust
Network Service Provider; and
WHEREAS, iShare Medical is Accredited HISP Privacy
and Security by the Electronic Healthcare Network Accreditation Commission
(“EHNAC”); and
WHEREAS, as a DirectTrust Trust Anchor, iShare
Medical has access to data from multiple sources from which iShare Medical has
created its own Direct Address directory (the “iShare Medical Directory”);
and
WHEREAS, iShare Medical has developed software that
allows its customers and subscribers to query the iShare Medical Directory and
obtain Direct Addresses of providers and other persons; and
WHEREAS, Subscriber desires to enter into this
Agreement to be authorized to query the iShare Medical Directory and iShare
Medical desires to provide such authorization and access to the iShare Medical
Directory through iShare Medical’s software in accordance with the terms and
conditions specified herein.
NOW THEREFORE, in consideration of the recitals
above and the terms and conditions more particularly set forth below, the
parties do hereby agree as follows:
ARTICLE X
SERVICES
10.1 Querying Service. Subject to Article XI below, iShare Medical
shall provide to Subscriber software to allow Subscriber to query the iShare
Medical Directory (“Query”) and
shall set up an account that Subscriber may use to Query the iShare Medical
Directory (the “Account”). Subscriber may Query using the iShare Medical
Directory application via the Internet using an Internet enabled device via
their iShare Medical Messaging account. Upon making a Query, Subscriber will
receive a search result based upon the information provided by Subscriber.
10.2 Use of Information
Received from iShare Medical Directory.
Subscriber shall only use the information received from the iShare
Medical Directory in order to (i) send direct messages to other providers,
patients, third party insurers, business associates (as defined for purposes of
the HIPAA Privacy Rule), or other third parties, as authorized by law; (ii)
send direct text or direct instant messages to other providers, patients, third
party insurers, business associates (as defined for purposes of the HIPAA
Privacy Rule), or other third parties, as authorized by law; or (iii) perform
health information exchange functions, as authorized by law. Subscriber shall not use information received
from iShare Medical Directory for any other reason without iShare Medical’s
prior written consent, which consent may be withheld at iShare Medical’s sole
discretion.
10.3 Restrictions on
Distributing and Using Information.
Subscriber shall not shall not distribute to third parties, sell or
re-sell any iShare Medical Directory information, including any Direct
Addresses, nor shall Subscriber use such information for advertising,
soliciting business, sending spam messages, distributing mass communications or
influencing or attempting to influence for commercial purposes any diagnostic
or treatment-related decisions. iShare
Medical Directory can only be used in conjunction with iShare Medical HISP
services. iShare Medical Directory cannot
be purchased or used as a standalone product.
Further, iShare Medical Directory cannot be used for Direct
Messaging from any other HISP, product, or service other than the iShare
Medical product suite.
Access to iShare
Medical Directory or to any information returned from iShare Medical Directory is
limited to employees, agents, or servants of the Subscriber’s organization.
If information from
iShare Medical Directory is saved by Subscriber, Subscriber is responsible to
ensure the saved information is periodically updated and checked for validity and
accuracy while it is in use, such as for sending Direct Messages. All Directory data obtained from iShare
Medical Directory is only authorized to be used in accordance with this policy.
The restrictions in
this Section 10.3 are not intended to be an exclusive list of prohibited
actions with regard to the use or disclosure of information received by
Subscriber and Subscriber shall at all times abide by the permissible use
provisions set forth in Section 10.2 hereof.
10.4 Deactivation of
Subscriber Account. If
Subscriber violates the restrictions related to the use of information received
by Subscriber through iShare Medical Directory set forth in Section 10.2 or 10.3
or if Subscriber otherwise breaches this Agreement or violates applicable law
or regulations, iShare Medical may immediately deactivate Subscriber’s Account
and terminate this Agreement in accordance with section 12.2.
ARTICLE XI
OBLIGATIONS OF SUBSCRIBER
11.1 iShare Medical
Messaging Subscriber. iShare
Medical Directory is offered exclusively as a service to iShare Medical
Messaging Health Information Services Provider (HISP) subscribers. As such, subscribers are required to have an
iShare ID Direct Address.
11.2 Providing Information. As a condition of having access to the iShare
Medical Directory, Subscriber shall provide the following information to iShare
Medical: (i) the legal name of the Subscriber; (ii) the full name (i.e., first
name, last name and any suffix) of each individual that will have access to the
Account on Subscriber’s behalf; (iii) mailing address; (iv) telephone number;
and (v) credit card information.
11.3 Payment. Subscriber shall pay iShare Medical for the
services provided hereunder in accordance with Section 4.1 hereof. In order to make such payments and as a
condition of having access to the iShare Medical Directory, Subscriber shall
provide credit card information to iShare Medical in a form and format
designated by iShare Medical. iShare Medical shall automatically charge the
credit card information provided by Subscriber to set up an automated payment
mechanism for Subscriber to make payments under Section 4.1 to iShare Medical.
ARTICLE XII
TERM AND TERMINATION
12.1 Term. The Agreement term shall be for one (1) year
(the “Initial Term”) commencing on
the Effective Date subject to earlier termination of this Agreement pursuant to
Section 10.4 and Section 3.2 hereof.
Following the Initial Term, this Agreement shall automatically renew for
successive one (1) year renewal terms (each a “Renewal Term”) unless either party gives written notice to the
other party at least ninety (90) days prior to the expiration of the Initial
Term or the then current Renewal Term of such party’s intention not to
renew. The Initial Term and any Renewal
Term(s) are referred to collectively as the “Term.” The duration of each
of the Initial Term, the Renewal Term, and the Term is subject to earlier
termination of this Agreement pursuant to Section 3.2, Section 10.4, and
Section 12.2 hereof.
12.2 Termination.
12.2.1 Either party may terminate this Agreement for
cause in the event of a material breach by the other party. In such case, the terminating party must give
written notice to the other party specifying in reasonable detail the claimed
breach. The other party shall have
thirty (30) days following receipt of such notice in which to cure the breach. If the claimed breach is not so cured within
such period, the non-breaching party shall have the right, but not the
obligation, to immediately terminate this Agreement.
12.2.2 Notwithstanding the provisions of Section 12.2.1
or any other provision hereof, iShare Medical may terminate this Agreement
immediately if any other third party that owns or licenses databases from which
iShare Medical obtains necessary information for the iShare Medical Directory
no longer allows iShare Medical access to the necessary information to allow
iShare Medical to provide the services hereunder.
12.2.3 Notwithstanding the provisions of Sections 12.2.1
and 12.2.2, iShare Medical may terminate this Agreement as provided in Section
3.2, Section 10.4, and Section 12.2 hereof.
12.2.4 Upon
termination of this Agreement, all Directory information obtained by Subscriber
using iShare Medical Directory must be destroyed or removed from all media
under Subscriber’s control, including hard-copy and electronic media.
ARTICLE XIII
COMPENSATION
13.1 Compensation for
Services. In exchange for the
services described herein, Subscriber shall pay iShare Medical the fees set
forth on Exhibits A and B
hereto (the “Fees”). Excluding Subscribers who have entered into
an agreement to be invoiced and pay in accordance with that invoicing
agreement, iShare Medical shall automatically charge Subscriber’s credit card
each month during the Term for the amount of Fees owed by Subscriber for
transactions that exceed the base allowed per account for the previous month
plus the monthly base Fee charge for the applicable month in which the charge
is made. If there is any issue with the
use of Subscriber’s credit card such that the charge by iShare Medical is
denied or declined, Subscriber will be considered in material breach hereof and
iShare Medical may, at its option and in addition to all other remedies
available to iShare Medical hereunder and under the law, including termination
of this Agreement, deactivate Subscriber’s Account until such time as payment
is made in full or a payment arrangement has been mutually agreed upon by both
parties.
Subscriber’s failure
to pay the full amount of any invoice within such thirty (30) day period will
be considered a material breach hereof and iShare Medical may, at its option
and in addition to all other remedies available to iShare Medical hereunder,
including termination of this Agreement, deactivate Subscriber’s accounts until
such time as payment is made in full or a payment arrangement has been mutually
agreed upon by both parties.
ARTICLE
XIV
INDEPENDENT CONTRACTOR
14.1 Independent Contractor
Status. The relationship of the
parties hereunder is solely that of independent contractors. Nothing herein is intended to, nor shall it
be construed to, make either party the employee, agent or servant of the other
for any purpose whatsoever.
ARTICLE XV
INDEMNIFICATION/LIMITATION OF LIABILITY
15.1 Indemnification. Subscriber shall defend iShare Medical and
its officers, directors, managers, members, employees and representatives
against all claims and damages and indemnify iShare Medical and its officers,
directors, managers, members, employees and representatives for all claims,
damages and costs, including expenses and reasonable attorneys’ fees, to the
extent arising out of its use or disclosure of information received through
iShare Medical Directory hereunder.
15.2 Limitation of Liability. iShare Medical is not responsible for or
liable for (i) any inaccuracies of data or other information that are provided
by third parties to iShare Medical for inclusion in the iShare Medical Directory
or (ii) any errors (e.g., typographical mistakes) by the Subscriber. Further, in no event will iShare Medical be
liable for any special, indirect, incidental or consequential damages in
connection with or related to the services provided hereunder. Liability of iShare Medical for claims
related to this Agreement, whether in contract, tort or otherwise, will not
exceed the Fees paid by the Subscriber for the services to which the claims
relate.
ARTICLE XVI
NOTICE
16.1 Notices. All notices required or permitted to be given
under the terms of this Agreement shall be in writing, and shall be effective
upon delivery if delivered to the addressee in person, effective three (3)
business days after mailing if mailed by certified mail, postage prepaid,
return receipt requested, or effective the next business day if delivered by
overnight courier with charges prepaid, as follows:
If to
iShare Medical: iShare Medical, LLC
3150 Mercier, Suite 608A
Kansas City, Missouri 64111
Attn: Linda Van Horn, MBA
If to Subscriber: Individual
and address identified by Subscriber as specified in Section 2.1
ARTICLE XVII
CONFIDENTIAL
INFORMATION/INTELLECTUAL PROPERTY
17.1 Confidential
Information. All business,
proprietary, financial, legal, and personal information disclosed by iShare
Medical, either intentionally or unintentionally, to Subscriber in connection
with this Agreement shall be held in strict confidence and shall not be
disclosed by Subscriber without the prior written consent of iShare
Medical. Subscriber shall not use any
information gained as a result of this Agreement to the competitive
disadvantage or in any other way detrimental to iShare Medical. Subscriber shall not, during or after the
Term, disclose such confidential and proprietary information of iShare Medical,
or trade secrets of iShare Medical, to any other firm, person, corporation,
association or other entity for any reason or purpose whatsoever, or use such
information for Subscriber’s own benefit, without the prior written consent of
iShare Medical, unless otherwise required to disclose such by law, in which
case Subscriber shall immediately notify iShare Medical thereof. This Section shall survive the expiration or
termination of this Agreement for any reason.
17.2 Names, Logos, Marks. Neither party shall use the name, logos, or
marks of the other party without such party’s prior written consent, except
that iShare Medical may use Subscriber’s name, logos, or marks to identify it
as a user of iShare Medical’s services.
This Section shall survive the expiration or termination of this Agreement
for any reason.
17.3 Intellectual Property. Each party shall retain all right, title and
interest in all of its own Intellectual Property and all elements and
derivative works thereof, whether or not developed in conjunction with the
other party, and whether or not protected or protectable. Notwithstanding the foregoing, the parties
agree that iShare Medical shall own any new Intellectual Property that it
develops pursuant to this Agreement, whether such development is at the request
of Subscriber or otherwise. For purposes
hereof, “Intellectual Property” means (a) copyrights, (b) issued patents and
patentable inventions, processes, methodologies, and procedures, (c) trade
secrets and know-how, (d) trademarks or service marks, (e) moral rights, and
(f) applications for registration or protection of any of the foregoing. This Section shall survive the expiration or
termination of this Agreement for any reason.
ARTICLE
XVIII
MISCELLANEOUS
18.1 Recitals. The recitals are true and correct and are
incorporated herein in their entirety.
18.2 Dispute Resolution. The parties agree to make all reasonable
efforts to resolve any and all disputes between them in connection with this
Agreement in an amicable manner.
18.3 Assignments. Neither party may assign its rights or duties
hereunder without the prior written consent of the other party; provided,
however, that iShare Medical, at its discretion, may use one or more vendors or
contractors to fulfill its obligations hereunder.
18.4 Publicity. In accordance with Section 18.2 above, iShare
Medical may use Subscriber’s name in press releases, product brochures,
financial reports, and other marketing materials indicating that Subscriber is
a customer of iShare Medical.
18.5 Force Majeure. Failure of iShare Medical to perform its
obligations under this Agreement will not subject iShare Medical to any
liability to Subscriber if such failure is caused by acts of God, legal
restrictions, transportation conditions, materials shortages, supplier delays,
riot, sabotage, communication losses or interruptions, embargo, strikes or any
other cause beyond the reasonable control of iShare Medical. Such an occurrence or interruption shall not
constitute a breach of this Agreement or vest in Subscriber any right of
damage, cancellation or rescission.
iShare Medical will resume the performance of its obligations as soon as
practicable after the force majeure event has ceased.
18.6 Entire Agreement. This Agreement supersedes all previous
contracts, proposals, or agreements between the parties with respect to the
same subject matter and constitutes the entire Agreement between the parties
hereto.
18.7 Governing Law. This Agreement shall be construed and
governed by the laws of the State of Missouri.
Any action or claim arising
from, under or pursuant to this Agreement shall be brought in the courts, state
or federal, within Kansas City, Missouri, and the parties expressly waive the
right to bring any legal action or claims in any other courts. The parties to this Agreement hereby consent
to venue in any state or federal court within Kansas City, Missouri for all
purposes in connection with any action or proceeding commenced between the
parties hereto in connection with or arising from this Agreement.
18.8 Severability. In the event that any provision hereof is
found invalid or unenforceable, the remainder of this Agreement shall remain
valid and enforceable according to its terms.
18.9 Amendments. This Agreement may be amended only by an
instrument in writing signed by the parties hereto.
18.10 Changes in Law or Interpretation of Law. The
parties recognize that this Agreement at all times is subject to applicable
federal, state and local laws. The
parties further recognize that this Agreement shall be subject to amendments in
and changing interpretations of such laws and regulations and to possible new
legislation as well. Should any
provision of law (including existing law) invalidate, or otherwise be inconsistent
with, the terms of this Agreement or cause one or both of the parties to be in
violation of a material law, the parties shall exercise their bests efforts to
negotiate an amendment to this Agreement so as to comply with such law, while
maintaining the terms and intent of this Agreement to the greatest extent
possible consistent with the requirements of law. If a party reasonably requests an amendment
to this Agreement pursuant to this Section and such amendment is not negotiated
within thirty (30) days, or sooner if required by law, following notice of one
party to the other that the Agreement or any portion thereof is invalid or
inconsistent with applicable law, the party requesting the amendment may
terminate this Agreement.
EXHIBIT A
Fees for iShare Medical Messaging for Providers
This exhibit outlines pricing for iShare Medical Messaging
for Providers. iShare Medical fees are
as follows:
I. iShare Medical Messaging for Providers
1.
iShareID
Direct Domain Certificates for 1 to 5 Direct Addresses is $125 per year per
subscribing healthcare organization. iShareID Direct Certificates for the
purposes of Direct Messaging cannot be used by multiple organizations.
This product includes the following:
a. ID
Proofing of Subscriber Organization and Trusted Agent.
b. Administrative
account for Trusted Agent to create and manage Direct Addresses for the
Organization.
c.
iShareID Direct Domain includes two key
pairs. One key pair is used for
encryption/decryption of messages and the second key paid is used for digital
signatures. Each key pair is bound to a separate Certificate.
d.
HIPAA compliant secure storage and
protection of private keys.
2.
iShare
Medical Messaging is sold in increments of 5 users at a cost of $19.95 per user
per month. Each user will have a separate user login to iShare Medical Messaging
for Provider application which allows the user to view Direct Messages in plain
English. Login accounts use two-factor
authentication. Factor one is a username
and password and factor two is a single use token texted to the users cell
phone or desk top computer.
3.
For
each 5 users there is an aggregated number of Transactions included of
1,000. Transactions in excess of 1,000
are $0.22 (twenty-two cents) per Transaction.
Transactions include Direct Messages sent or received. Administrative messages such as Message
Disposition Notifications (MDNs) and internal messages from the postmaster are
not counted against the 1,000 Transactions. The maximum size for any Direct
Message is 10 MB, including the message header, the message body, and
attachments. The Direct Message size
limit is for pricing purposes. Larger
Direct Message sizes can be accommodated under a different pricing structure.
4.
Additional
Storage over 1 GB is $5 per GB per month.
EXHIBIT B
iShare
Medical Directory Fees
This exhibit outlines pricing for iShare Medical
Directory. iShare Medical Directory is
available as a web application or as a RESTful API. In either case, iShare Medical Directory
cannot be purchased as a stand-alone product.
In the case of the web application, iShare Medical Directory is included
as a part of iShare Medical Messaging.
In the case of API access to iShare Medical Directory, iShare Medical
RESTful API for Directory Services is a separate product that is only available
to customers who have also purchased iShare Medical RESTful API for iShare
Medical Messaging.
iShare Medical Directory
1. Subscribers
must have and iShareID Direct Address in order to access the iShare Medical
RESTful API for Directory Services or iShare Medical Directory online provider
directory.
2. iShare
Medical Directory is a component of iShare Medical Messaging and included in
the price for iShare Medical Messaging.
3.
iShare Medical RESTful API for Directory
Services is priced separately and available upon request.
EXHIBIT C
Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”)
is entered into on effective date by and between the Subscriber,
and iShare Medical, LLC, a Missouri limited liability company
with its principal place of business at 3150 Mercier, Suite 608A, Kansas City,
Missouri 64111 (sometimes hereinafter referred to as "iShare").
WHEREAS, the Subscriber is a “covered
entity” under the regulations promulgated under the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”); and
WHEREAS, the parties have entered into that certain
Agreement for HISP Services (“Service Agreement”) that will require Subscriber to
disclose to iShare information that is confidential and must be afforded
special treatment and protection in accordance with HIPAA and the regulations
promulgated thereunder at 45 CFR Parts 160 and 164.
NOW, THEREFORE, the parties agree as
follows:
1.
Definitions. Terms used,
but not otherwise defined, in this Agreement shall have the same meaning as
those terms in the Privacy Rule, Security Rule, or Data Breach Notification
Rule. For the purposes of this
Agreement, the following words shall have the following meanings:
a.
Breach.
“Breach” shall have the same meaning as the term “breach” in 45 CFR 164.402,
limited to a Breach involving Protected Health Information as defined herein.
b.
Business Associate. “Business Associate” shall
mean iShare.
c.
Covered Electronic Transactions. “Covered Electronic Transactions” shall have
the same meaning as the term “Transaction” in 45 CFR 160.103.
d.
Covered Entity. “Covered Entity” shall mean
Subscriber.
e.
Data Breach Notification Rule. “Data Breach
Notification Rule” shall mean the standards for Breach Notification of
Unsecured Protected Health Information at 45 CFR part 160 and part 164,
subparts A and D, as amended.
f.
Individual. “Individual” shall have the same
meaning as the term “individual” in 45 CFR 160.103 and shall include a person
who qualifies as a personal representative in accordance with 45 CFR
164.502(g).
g.
Privacy Rule. “Privacy Rule” shall mean the
Standards for Privacy of Individually Identifiable Health Information at 45 CFR
part 160 and part 164, subparts A and E, as amended.
h.
Protected Health Information. “Protected Health
Information” shall have the same meaning as the term “protected health
information” in 45 CFR 160.103, limited to the information created, received,
maintained or transmitted by Business Associate from or on behalf of Covered
Entity.
i.
Required By Law. “Required By Law” shall have
the same meaning as the term “required by law” in 45 CFR 164.103.
j.
Secretary. “Secretary” shall mean the Secretary
of the Department of Health and Human Services (“DHHS”) or his or her designee.
k.
Security Incident. “Security Incident” shall
have the same meaning as the term “security incident” in 45 CFR 164.304.
l.
Security Rule.
“Security Rule” shall mean the Security Standards for the Protection of
Electronic Protected Health Information, 45 CFR Part 160 & Part 164,
subparts A & C, as amended.
m.
Standards for Electronic Transactions Rule. “Standards for Electronic Transactions Rule”
means the final regulations issued by DHHS concerning standard transactions and
code sets, 45 CFR Part 160 & Part 162, as amended.
2.
Obligations and Activities of Business Associate.
a.
Business Associate agrees to not use or disclose
Protected Health Information other than as permitted or required by the
Agreement or as Required By Law.
b.
Business Associate agrees to use appropriate
safeguards, and to comply with the Security Rule with respect to electronic
Protected Health Information, to prevent use or disclosure of the Protected
Health Information other than as provided for by this Agreement, including the
implementation of administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and
availability of the electronic Protected Health Information that Business
Associate creates, receives, maintains, or transmits on behalf of Covered
Entity as required by the Security Rule. Covered
Entity expressly agrees that Business Associate may de-identify PHI that is
received from, or created on behalf of, the Covered Entity.
c.
Business Associate agrees to report to Covered Entity
any (i) Security Incident of which it becomes aware, (ii) use or disclosure of
the Protected Health Information not provided for by this Agreement of which it
becomes aware, or (iii) any Breach of which it becomes aware, within twenty
(20) business days of Business Associate’s discovery of any such Security Incident,
unauthorized use or disclosure, or Breach.
The parties agree, however, that Unsuccessful Security Incidents (USI)
are foreseeable and expected, are not reportable under this paragraph, and that
this paragraph provides notice of such USI.
For purposes of this Agreement, USI includes, but is not limited to,
pings on a firewall, unsuccessful attempts to log onto a system with an invalid
password or user name, unsuccessful attempts to load malware, denial-of-service
attacks that do not result in a server being taken off-line, and other events
that do not result in actual impermissible disclosure of Protected Health
Information or a substantial risk thereof.
d.
In accordance with 45 CFR 164.502(e)(1)(ii) and 45 CFR
164.308(b)(2), Business Associate agrees to ensure that any agents or
Subcontractors that create, receive, maintain or transmit Protected Health
Information on behalf of the Business Associate execute a written contract
agreeing to abide by the same restrictions, conditions and requirements that apply
through this Agreement to Business Associate with respect to such information,
including without limitation an agreement to implement reasonable and
appropriate safeguards to protect non-electronic and electronic Protected
Health Information.
e.
Within ten (10) business days of receipt of a written
request from Covered Entity, Business Associate agrees to provide access in the
manner designated by the Covered Entity to Protected Health Information in a
Designated Record Set, to Covered Entity or, as directed by Covered Entity, to
an Individual in order to meet the requirements under 45 CFR 164.524.
f.
Unless otherwise Required By Law or by an accrediting
organization, Business Associate agrees to make any amendment(s) to Protected
Health Information in a Designated Record Set that the Covered Entity directs
or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an
Individual, and in the time and manner designated by the Covered Entity.
g.
Business Associate agrees to make internal practices, books,
and records, including policies and procedures and Protected Health
Information, relating to the use and disclosure of Protected Health Information
received from, or created or received by Business Associate on behalf of,
Covered Entity available to the Secretary, in a time and manner designated by
the Secretary, for purposes of the Secretary determining Covered Entity’s
compliance with the Privacy Rule.
h.
Business Associate agrees to document such disclosures
of Protected Health Information and information related to such disclosures as
would be required for Covered Entity to respond to a request by an Individual
for an accounting of disclosures of Protected Health Information in accordance
with 45 CFR 164.528.
i.
Within ten (10) business days of receipt of a written
request from Covered Entity, Business Associate agrees to provide to Covered
Entity or an Individual, in the manner designated by the Covered Entity,
information collected in accordance with Section 2(h) of this Agreement, so as
to permit Covered Entity to respond to a request by an Individual for an
accounting of disclosures of Protected Health Information in accordance with 45
CFR 164.528.
j.
If Business Associate transmits or receives any Covered
Electronic Transaction on behalf of the Covered Entity, it shall comply with
all applicable provisions of the Standards for Electronic Transactions Rule to
the extent Required By Law, and shall ensure that any agents that assist
Business Associate in conducting Covered Electronic Transactions on behalf of
the Covered Entity agree in writing to comply with the Standards for Electronic
Transactions Rule to the extent Required By Law.
k.
To the extent Business Associate is to carry out
Covered Entity’s obligations under the Privacy Rule, Business Associate agrees
to comply with the requirements of the Privacy Rule that apply to Covered
Entity in the performance of the obligation.
l.
Business Associate agrees to reasonably safeguard
protected health information to limit incidental uses or disclosures made pursuant
to an otherwise permitted or required use or disclosure.
m.
Business Associate agrees to comply with all applicable
federal and state laws and regulations, including the HITECH Act’s privacy and
security requirements.
3.
Permitted Uses and Disclosures by Business Associate.
a.
Except as otherwise limited in this Agreement, Business
Associate may use or disclose Protected Health Information to perform
functions, activities, or services for, or on behalf of, Covered Entity as
specified in the Service Agreement, provided that such use or disclosure would
not violate the Privacy Rule if done by Covered Entity or the minimum necessary
policies and procedures of the Covered Entity (except for the specific uses and
disclosures set forth below).
b.
Except as otherwise limited in this Agreement, Business
Associate may use Protected Health Information for the proper management and
administration of the Business Associate or to carry out the legal
responsibilities of the Business Associate.
c.
Except as otherwise limited in this Agreement, Business
Associate may disclose Protected Health Information for the proper management
and administration of the Business Associate, provided that disclosures are
Required By Law, or Business Associate obtains reasonable assurances from the
person to whom the information is disclosed that it will remain confidential
and used or further disclosed only as Required By Law or for the purpose for
which it was disclosed to the person, and the person notifies the Business
Associate of any instances of which it is aware in which the confidentiality of
the information has been breached.
d.
Except as otherwise limited in this Agreement, Business
Associate may use Protected Health Information to provide Data Aggregation
services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).
e.
Business Associate may use Protected Health Information
to report violations of law to appropriate federal and state authorities,
consistent with 45 CFR 164.502(j)(1).
f.
Except as otherwise limited in this Agreement, Business
Associate may disclose Protected Health Information to a business associate who
is an agent or Subcontractor and may allow the agent or Subcontractor to
create, receive, maintain or transmit Protected Health Information on its
behalf, if the Business Associate enters into a written contract with the agent
or Subcontractor in which the agent or Subcontractor agrees to abide by the
same restrictions and conditions that apply through this Agreement to Business
Associate with respect to such information, including without limitation an
agreement to implement reasonable and appropriate safeguards to protect
non-electronic and electronic Protected Health Information.
g.
Business Associate may use or disclose Protected Health
Information as Required By Law.
4. Obligations of Covered Entity.
a.
Covered Entity shall notify Business Associate of any
limitation(s) in its notice of privacy practices under 45 CFR 164.520, to the
extent that such limitation may affect Business Associate's use or disclosure
of Protected Health Information.
b.
Covered Entity shall notify Business Associate of any
changes in, or revocation of, authorizations by an Individual to use or
disclose Protected Health Information, to the extent that such changes may
affect Business Associate's use or disclosure of Protected Health Information.
c.
Covered Entity shall notify Business Associate of any
restriction to the use or disclosure of Protected Health Information that
Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent
that such restriction may affect Business Associate's use or disclosure of
Protected Health Information.
5.
Permissible Requests by Covered Entity. Covered Entity shall not request Business
Associate to use or disclose Protected Health Information in any manner that
would not be permissible under the Privacy Rule if done by Covered Entity,
except that Covered Entity may request Business Associate to undertake the
activities mentioned in Sections 3(b)-(f) above.
6.
Term and Termination.
a.
Term. The Term of this Agreement shall be effective as of
today and shall terminate when all of the Protected Health Information provided
by Covered Entity to Business Associate, or created, received, maintained or
transmitted by Business Associate on behalf of Covered Entity, is destroyed or
returned to Covered Entity, or, if it is infeasible to return or destroy
Protected Health Information, protections are extended to such information, in
accordance with the termination provisions in this Section.
b.
Termination for Cause. Upon Covered Entity’s
knowledge of a pattern of activity or practice of the Business Associate that
constitutes a material breach or violation of this Agreement by Business
Associate, Covered Entity shall either:
1.
Provide an opportunity for Business Associate to cure
the breach or end the violation and terminate this Agreement and the Service
Agreement if Business Associate does
not cure the breach or end the violation within the time specified by Covered
Entity, if termination is feasible; or
2.
Immediately terminate this Agreement and the Service
Agreement if cure is not possible, if feasible.
c.
Effect of Termination.
1.
Except as provided in paragraph (2) of this subsection,
upon termination of this Agreement, for any reason, Business Associate shall
return or destroy all Protected Health Information received from Covered
Entity, or created or received by Business Associate on behalf of Covered
Entity. This provision shall apply to Protected Health Information that is in
the possession of subcontractors or agents of Business Associate. Business
Associate shall retain no copies of the Protected Health Information.
2.
In the event that Business Associate determines
that returning or destroying the Protected Health Information is infeasible,
Business Associate shall provide a written certification to Covered Entity of
the conditions that make return or destruction infeasible. Upon certifying that
return or destruction of Protected Health Information is infeasible, Business
Associate shall extend the protections of this Agreement to such Protected
Health Information and limit further uses and disclosures of such Protected Health
Information to those purposes that make the return or destruction infeasible,
for so long as Business Associate maintains such Protected Health Information.
7. HITECH Act Amendments. To comply with certain provisions
contained in the American Recovery and Reinvestment Act of 2009, the parties
agree to comply with the following:
a.
Business Associate shall comply with the applicable
standards, implementation specifications, and requirements of the Security Rule
with respect to electronic Protected Health Information of Covered Entity. Specifically, Business Associate shall comply
with all applicable sections of 45 C.F.R. §§ 164.306, 164.308, 164.310,
164.312, 164.314 and 164.316. The
additional requirements of Subtitle D of Division A of the Health Information
Technology for Economic and Clinical Health Act (“HITECH Act”) contained in
Public Law 111-005 that relate to security and that are made applicable with
respect to covered entities shall also be applicable to Business Associate and
shall be and by this reference hereby are incorporated into this Agreement, and
Business Associate shall comply with those requirements and any implementing
regulations.
b.
Business Associate may use and disclose Protected
Health Information that it obtains or creates only if such use or disclosure,
respectively, is in compliance with each applicable requirement of 45 C.F.R.
164.504(e). The additional requirements
of Subtitle D of Division A of the HITECH Act and its implementing regulations
that relate to privacy and that are made applicable with respect to covered
entities shall also be applicable to Business Associate and shall be and by
this reference hereby are incorporated into this Agreement, and Business
Associate shall comply with those requirements.
8.
Miscellaneous.
a.
Regulatory References. A reference in this
Agreement to a section in the Privacy Rule or the Security Rule means the
section as in effect or as amended.
b.
Amendment. The Parties agree to take such
action as is necessary to amend this Agreement from time to time as is
necessary for Covered Entity and Business Associate to comply with the
requirements of the Privacy Rule, the Security Rule, the Health Insurance
Portability and Accountability Act of 1996, Pub. L. 104-191, and the HITECH Act
and its implementing regulations.
Regardless of the execution of a formal amendment of this Agreement, the
Agreement shall be deemed amended to permit the Covered Entity and Business
Associate to comply with HIPAA, the HITECH Act and its implementing
regulations, the Privacy Rule, and the Security Rule, as the same may be
hereafter amended or interpreted.
c.
Survival. The rights and obligations of
Business Associate under Section 6(c) shall survive the termination of this
Agreement. Sections 8(a) and 8(c)-(h) of
this Agreement shall survive the termination of this Agreement.
d.
Interpretation. This Agreement supersedes
any prior business associate agreement between the parties. Any ambiguity in this Agreement shall be
resolved to permit the parties to comply with the requirements of HIPAA and all
regulations promulgated pursuant to HIPAA, including without limitation the
Privacy Rule and the Security Rule, and with the HITECH Act and its
implementing regulations. In the event
of any conflict between this Agreement and any other agreement between the
parties, this Agreement shall control.
e.
Notices.
Notices permitted or required to be given under this Agreement shall be
in writing and shall either be hand delivered, sent by certified mail, return
receipt requested, or delivered by overnight courier to the address of the
parties as set forth herein below, or to other such person or to other such
address as the parties hereto may specify by written notice to the other:
|
Covered Entity:
|
Subscriber Trusted Agent as specified in section 2.1
|
|
Business Associate:
|
iShare Medical, LLC
3150 Mercier, Suite 608A
Kansas City, Missouri 64111
Attn: Linda Van
Horn
|
f.
No Third Party Beneficiaries. The parties specifically intend that nothing
in this Agreement, either express or implied, is intended to confer any rights
or remedies under or by reason of this Agreement upon any person or entity
other than the parties hereto and their respective successors and assigns. In particular, the parties intend that this
Agreement governs and applies only to their relationship and all other persons
or entities shall have no rights, claims, entitlements, or benefits under or as
a result of this Agreement.
g.
Independent Contractor Status. It is expressly acknowledged and agreed by
the parties that Business Associate is an independent contractor and nothing in
this Agreement is intended or will be construed to create an employer/employee,
partner or joint venturer relationship between the parties. Business Associate shall control the manner,
means, and methods by which services are performed by it, subject to compliance
with this Agreement and the Service Agreement.
h.
Governing Law; Where Action to Be Brought; Venue. This Agreement shall be governed by, and
construed in accordance with, the laws of the State of Missouri without regard
to conflicts of law principles. Any
action or claim arising from, under or pursuant to this Agreement shall be
brought in the courts, state or federal, within Kansas City, Missouri, and the
parties expressly waive the right to bring any legal action or claims in any
other courts. The parties hereto hereby
consent to venue in any state or federal court within Kansas City, Missouri for
all purposes in connection with any action or proceeding commenced between the
parties hereto in connection with or arising from this Agreement.
IN WITNESS WHEREOF, the parties hereto have
executed this Agreement as of the day and year first written above.
IN WITNESS WHEREOF, Business Associate and Covered
Entity have caused this Agreement to be signed and delivered by their duly
authorized representatives, as of the date first set forth above.
61289280.10
