TERMS OF USE

(and Business Associate Addendum)

pulsra-it2@1400x600

Updated 6/19/26

Terms of Use

The Pulsara communications and logistics platform is offered by CommuniCare Technology, Inc., dba Pulsara, a Delaware corporation (“Pulsara”) on a subscription basis to an organization (“Subscriber”) providing medical and/or emergency management services. Access to and use of the platform, Software, and Pulsara’s services (collectively the “Services”) are governed by the following terms (the “Terms”).


ACCEPTANCE OF TERMS

The Services are offered subject to your acceptance of the Terms contained herein. By accessing, registering for and/or using the Services in any manner, Subscriber acknowledges and agrees that these Terms govern such use.


ARTICLE 1
DEFINITIONS


Section 1.1 - Software

“Software” means the Pulsara web and mobile applications as described at www.pulsara.com/packages and as licensed to Subscriber.

Section 1.2 - Error

“Error” means a failure of the Software to conform in all material respects to the Licensed Documentation; provided, however, that any nonconformity resulting from Subscriber’s improper use of the Software, combining or merging the Software with software not approved by Pulsara for use with the Software, or modification of the Software which has not been performed by Pulsara, shall not be considered an Error.

Section 1.3 - Licensed Documentation

“Licensed Documentation” means all the technical and performance specifications of the Software and support materials supplied to Subscriber.

Section 1.4 - Final Quote

“Final Quote” means each document executed by both parties pursuant to which Subscriber purchases or renews a subscription to the Services. The Final Quote shall form a part of these Terms. If any terms of the Final Quote conflict with any Terms herein, the terms of the Final Quote will control.

Section 1.5 - Patient Information or PHI

“Patient Information” or “PHI” means “protected health information” as defined under HIPAA provided on or entered into the Software by Subscriber’s end users.

Section 1.6 - Subscriber's Data

"Subscriber's Data" means all data and information submitted to Pulsara or obtained, developed, stored, accessed, processed, or produced by Pulsara in connection with the Services. Subscriber's Data is considered Subscriber's Confidential Information.

ARTICLE 2
GRANT/SOFTWARE


Section 2.1 - Grant of Software License

Pulsara grants to Subscriber a limited, nonexclusive, non-transferable, annual license to access and use the Software and the Licensed Documentation (collectively, the “Licensed Product”) in the manner described in these Terms and, if applicable, the Final Quote. Pulsara reserves all rights in the Licensed Product.

Section 2.2 - Software Support

Pulsara will provide support for current versions of the Software when coupled with device operating systems, hardware devices, and browser versions listed at the URL: https://www.pulsara.com/faqs/which-web-browsers-and-mobile-devices-can-we-use, which will be updated from time to time.

Section 2.3 - Software Performance Usage Data

Aggregated and de-identified usage data and Error reports may be collected through the Software to improve Software performance and effectiveness.


ARTICLE 3
FEES AND PAYMENT

Section 3.1 - Fees

As compensation for the licenses granted by Pulsara to Subscriber, Subscriber will pay to Pulsara all fees, if any, as set forth in the Final Quote for paid subscriptions. For free subscriptions, no fees shall apply. Unless otherwise provided for in these Terms, all applicable fees will be paid in US dollars and become due in accordance with the Final Quote terms.

Section 3.2 - Taxes

Fees listed in the Final Quote are exclusive of sales and services taxes. Subscriber is responsible for payment of all such taxes arising from the payment of the Fees unless tax exemption status is provided.

 

ARTICLE 4
TERM AND TERMINATION

 

Section 4.1 - Subscription Term

The effective date of the subscription term (the “Term”) commences on the date of the last signature on the Final Quote for paid subscriptions. For free subscriptions, the Term commences upon the Subscriber’s representative clicking the “Sign Up Now” button on www.pulsara.com.

Section 4.2 - Termination

Either party may terminate the subscription upon written notice to the other party only as follows:

(a) if either party breaches a material provision of these Terms and such breach is not cured within thirty (30) days after written notice has been given to the breaching party in accordance with Section 4.2; provided, however, that Subscriber access to the Software may be suspended during the thirty (30) day cure period if the breach would cause potential damage to the Software or third parties’ continued safe use of the Software;

(b) in the event that either party becomes insolvent, is adjudicated bankrupt, voluntarily seeks protection under any bankruptcy or insolvency law, or makes an assignment for the benefit of creditors, whether voluntary or involuntary;

(c) by Subscriber upon thirty (30) days written notice to Pulsara. In the event that any fees are due as of the termination date, they shall become immediately due and payable. Upon early termination, Subscriber will not be responsible for payment of fees for subsequent years set forth in the Final Quote; or

(d) by Pulsara upon thirty (30) days written notice to Subscriber. Upon early termination, Subscriber will not be responsible for payment of fees for subsequent years set forth in the Final Quote.

Section 4.3 - Effect of Termination

Upon termination, Subscriber's access to the Software will cease. Upon written request by Subscriber made within thirty (30) days after the termination date, Pulsara will make available to Subscriber single-user access to the platform. Pulsara will grant any such access for a period of ten (10) business days from the receipt of the written request to allow Subscriber to prepare a final download (export) of the Subscriber's data (which shall constitute a "return" of Subscriber's data). The single-user access described in the preceding sentence is not provided in lieu of, and does not diminish, Pulsara's obligations to return any protected health information that is maintained by Pulsara under the Business Associate Addendum ("BAA") that is attached hereto and incorporated herein.

ARTICLE 5
USAGE


Section 5.1 - Use of Software

Subscriber shall use the Software only in a manner and for the purposes for which the Software was designed. All uses not expressly permitted under this Article 5 are prohibited.

Section 5.2 - End User Access

Subscriber is solely responsible for authorizing its end users’ access to the Software, maintaining all login information and overseeing use of the Software by its end users.

Section 5.3 - Patient Information

Subscriber acknowledges and agrees (1) that the Software is used to transmit, collect, access, manage, and display PHI and (2) that PHI is stored by Pulsara. Both parties agree that the Business Associate Agreement executed between the parties will govern the use, storage, and disclosure of any and all such PHI. Subscriber acknowledges and agrees that Subscriber determines which patient information comprises their designated record set and is accessible to the patient as defined under HIPAA regulations at 45 CFR 164.501. By design, patient information communicated in Pulsara for the purposes of care coordination is not intended to serve as the system of record.

Section 5.4 - Medical Advice and Treatment

Subscriber acknowledges and agrees that Pulsara does not provide medical advice, diagnosis, or treatment.

Section 5.5 - Compliance with Employment and Privacy Laws

Subscriber is solely responsible for ensuring its use of the Software's geolocation tracking feature complies with all applicable local, state, and federal laws regarding employee monitoring and geolocation privacy (e.g., California Civil Code § 1798.100, New York Civil Rights Law § 52-c). Subscriber warrants that it will obtain all necessary consents from end users to track their precise geolocation, as applicable. 

Section 5.6 - Pulsara Intelligence

(a) General. Pulsara may offer optional artificial intelligence ("AI") features ("Pulsara Intelligence") designed to improve information sharing and efficiency (e.g., extract discrete data fields from unstructured text). Pulsara Intelligence is not intended to provide clinical diagnosis, treatment recommendations, or predictive medical decision-making.

(b) Subscriber Control. The use of Pulsara Intelligence is optional; Subscriber may enable or disable these features at the application level at any time. 

(c) Data Protection and Training. Pulsara uses a secure, enterprise-grade environment that remains subject to the same data protection standards as other clinical information within the Software. Subscriber data, including Patient Information or narratives, is not used to train or fine-tune AI models. 

(d) Human Oversight and Allocation of Risk. Subscriber acknowledges that Pulsara Intelligence is a tool designed to enhance data efficiency and is not a substitute for professional judgment. For any AI-generated outputs that inform clinical diagnosis, treatment, or patient care decisions, Subscriber is responsible for ensuring appropriate human review and validation. Subscriber acknowledges that the degree of human oversight required may vary based on the nature of the AI output and the specific use case, and Subscriber remains solely responsible for the final verification of any clinical data or patient-related narratives before such information is acted upon. 


ARTICLE 6
WARRANTY


Section 6.1 - Warranty

(a) Pulsara warrants that the Software substantially meets and performs in compliance with all applicable specifications set forth in the Licensed Documentation.

(b) Pulsara warrants that the Software shall be free, at the time of delivery, of any potentially damaging code or program, the effect of which may be destruction of computer data or the permanent or temporary disabling of a computer system, or provision of unauthorized access to a computer system, including but not limited to "Trojan horses," "time bombs," "logic bombs," "worms," "back-doors," and other computer viruses, collectively referred to as "Harmful Code," Pulsara will promptly notify Customer if Pulsara becomes aware that the Software may contain Harmful Code.

(c) Pulsara warrants that all Services will be performed in a good and workmanlike manner, which at least meets industry standards. Pulsara acknowledges and agrees that all services hereunder shall be performed by personnel experienced and highly skilled in their profession and in accordance with the highest applicable standards of professionalism for comparable or similar services. Pulsara shall be responsible for the professional quality, timeliness, coordination and completeness of Services.

Section 6.2 - Limitations on Warranty

Except as provided for in these Terms, Pulsara makes no other representations or warranties, express or implied, with respect to Software, and expressly disclaims all such other representations and warranties, including any with respect to merchantability, reliability, or fitness for a particular use or purpose. Without limiting the generality of the foregoing Pulsara, makes no warranty, representation, or guarantee: (1) as to the sequence, accuracy, timeliness, relevance, or completeness of information entered into the Software, including any information regarding treatment of medical conditions, actions, diagnoses, procedures, application of medication, or other provision of medical services; (2) that the use of the Software will be uninterrupted or error-free; (3) as to the efficacy of the Software if not updated at least quarterly and accessed on supported device operating systems, hardware devices, and browser versions listed on www.pulsara.com/faqs/which-web-browsers-and-mobile-devices-can-we-use, which will be updated from time to time; (4) that the Software's geolocation features satisfy Subscriber's obligations under state or federal employment or privacy laws; or (5) regarding the accuracy, completeness, or reliability of any outputs generated by Pulsara Intelligence.

Section 6.3 - Access

Pulsara disclaims any and all responsibility for interruption of Software access due to Subscriber's network connectivity, including system outages caused by cellular providers  and internet service providers (ISPs), unless such loss of access is caused by Pulsara or the Software.

Section 6.4 - Limited Liability

(a) The parties’ liability to the other for breach of these Terms shall not exceed the fees paid by Subscriber for the Licensed Products during the twelve (12) month period immediately preceding said breach, less any discount or credits previously received for the Licensed Products.

(b) The limitation stated in Section 6.4 (a) does not apply to Pulsara’s gross negligence or willful misconduct.

(c) Neither party will be liable to the other party for consequential, special, indirect, incidental, punitive, or exemplary damages, costs, expenses or losses or lost profits under these Terms. 

The parties acknowledge that the terms of this section reflect the allocation of risk set forth in these Terms and that the parties would not enter into these Terms without these limitations of liability.


ARTICLE 7
INDEMNIFICATION


Section 7.1 - Indemnification by Subscriber

Provided that such indemnification does not conflict with Subscriber’s state law, Subscriber shall indemnify, defend and hold Pulsara, its licensors, parent organizations, subsidiaries, affiliates, officers, directors, employees, attorneys, and agents harmless from and against any and all third-party claims and associated costs, damages, losses, liabilities, and expenses arising out of or relating to Subscriber’s (1) misuse of the Software, including in a manner not authorized by these Terms or the Licensed Documentation; (2) breach of these Terms; (3) violation of privacy rights, employee monitoring statutes, or failure to obtain consent arising from Subscriber's use of geolocation tracking features, including on personally owned devices; or (4) use of Pulsara Intelligence, including (i) reliance on AI-generated outputs, (ii) failure to review or validate such outputs, or (iii) use of such outputs in clinical decision-making.

Section 7.2 - Indemnification by Pulsara

Pulsara shall indemnify, defend and hold Subscriber, its parent organizations, subsidiaries, affiliates, officers, directors, employees, attorneys, and agents harmless from and against any and all third-party claims and associated costs, damages, losses, liabilities, and expenses arising out of Pulsara's (1) breach of Subscriber's Data; (2) violation of HIPAA; (3) breach of the terms of the parties' BAA; or (4) infringement of third-party intellectual property rights.

Section 7.3 - Limitations to Indemnification Obligations

Notwithstanding anything to the contrary in this Article 7, the indemnifying party shall have no obligation to defend the indemnified party with respect to any claim, costs, damages, losses, or liabilities arising from any acts or omissions of the indemnified party.

Section 7.4 - Notice and Defense of Claims

The indemnified party shall provide the indemnifying party with prompt notice of the claim giving rise to the indemnification obligation hereunder, the right to control the defense and settlement thereof, and all information with respect thereto; provided that the indemnifying party shall not enter into any settlement that admits fault, wrongdoing or damages without the indemnified party's written consent, not to be unreasonably withheld or delayed. The indemnifying party shall have no obligations with respect to any Losses resulting from the indemnified party's admission, settlement, or other communication without the prior written consent of the indemnifying party. 


ARTICLE 8
INTELLECTUAL PROPERTY & CONFIDENTIALITY


Section 8.1 - Intellectual Property

(a) Except for the limited license and use rights expressly granted to Subscriber under these Terms during the Term, all title to and rights in the Licensed Product, including ownership rights to patents (registrations, renewals, and pending applications), copyrights, trademarks, trade secrets, Pulsara’s or third party hardware, other technology, any derivatives of and all goodwill associated with the foregoing, are the exclusive property of Pulsara, and/or other third parties.
 
(b) Patent Notice. The Software may be covered by one or more patents or pending patent applications owned or controlled by Pulsara or its affiliates. Visit www.pulsara.com/legal for more information.

Section 8.2 - Confidentiality

(a) “Confidential Information” means any and all non-public, proprietary information, trade secrets, and such other confidential information of or relating to a party furnished by the party and/or its personnel (“Disclosing Party”) on a confidential basis to the other party (“Receiving Party”). PHI, while confidential, is addressed in and subject to the parties’ BAA and applicable law. Notwithstanding anything in these Terms to the contrary, Confidential Information will not include information which: (1) at or prior to the time of disclosure by the Disclosing Party was known to or independently developed by the Receiving Party, except to the extent unlawfully appropriated by the Receiving Party or third party; (2) at or after the time of disclosure by the Disclosing Party becomes generally available to the public through no wrongful or negligent act or omission on the Receiving Party’s part; or (3) the Receiving Party receives from a third party free to make such disclosure without breach of any legal obligation.
 
(b) Each party agrees not to reveal or disclose any Confidential Information of the Disclosing Party for any purpose to any third party, or to use any Confidential Information for any purpose other than as contemplated in, or otherwise necessary in connection with the Receiving Party's performance under these Terms without the prior written consent of the Disclosing Party. A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, the Disclosing Party gives the Receiving Party reasonable notice of such disclosure and, where notice of disclosure is not prohibited and is given in accordance with this Article, it takes into account the reasonable requests of the other party in relation to the content of such disclosure. Each party agrees to treat Confidential Information disclosed to it by the other with the same degree of care as the Receiving Party uses in protecting its own confidential and proprietary information, but in no event less than a reasonable care.

Section 8.3 - Restrictions

Subscriber is prohibited from reverse engineering, disassembling, or modifying the Software, including the removal of any proprietary notices, and from using the Software in violation of any applicable laws (including any export control laws).

Section 8.4 - Publicity

Neither party shall use the name, trademark, or trade name (whether registered or not) of the other party in publicity releases or advertising without the prior written authorization of the other party. Notwithstanding the foregoing, the names of Subscriber's locations may be included on Pulsara's website, customer map, or in factual listings identifying entities participating on the Pulsara network, provided no logos are used and no descriptive language suggests endorsement by Subscriber. Pulsara may include such factual participation information in required reports to state and local contracting entities (e.g., Departments of Health or Emergency Medical Task Forces) in connection with regional or statewide emergency-response or communication programs.

ARTICLE 9
GENERAL PROVISIONS

Section 9.1 - Governing Law

These Terms will be construed in accordance with and governed by the internal law of Subscriber’s state, without regard to the choice or conflicts of law provisions of any jurisdiction. In the event that either party institutes any action or proceeding arising out of or relating to these Terms, exclusive jurisdiction will be in the state or federal court in the county where the Subscriber’s corporate office is located. 


Section 9.2 - Severability

If any provision of these Terms is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.

Section 9.3 - Independent Contractors

No joint venture, partnership, employment, or agency relationship exists between Subscriber and Pulsara as a result of these Terms or use of the Software.

Section 9.4 - Assignment

The rights and/or obligations contained in these Terms may not be assigned, delegated or otherwise transferred by either party (except to a direct or indirect parent or subsidiary) without the prior written approval of the other party, not to be unreasonably withheld, provided, however that either party may assign these Terms in connection with a merger, consolidation, reorganization, or acquisition of a party resulting in a change of control or a transfer or sale of all or substantially all of the assets of either party. No assignment or delegation shall relieve either party of liability for its obligations hereunder.

Section 9.5 - Waiver

The failure of either party to enforce any right or provision in these Terms shall not constitute a waiver of such right or provision unless acknowledged and agreed to by that party in writing.

Section 9.6 - Entire Agreement

These Terms, inclusive of any exhibits or addenda, together with any applicable BAA and Final Quote, comprise the entire agreement (“Agreement”) between Subscriber and Pulsara and supersede all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, including any Software or platform click-through terms regarding the subject matter contained herein. This Agreement may be amended in writing by mutual consent of the parties hereto and in accordance with the procedures of State law and permitted uses.

Section 9.7 - Insurance

During the Term, Pulsara shall maintain in full force and effect insurance policies in the minimum amounts stated below, issued by a carrier with an “A-” or better rating from A.M. Best. Pulsara shall not permit such insurance to be reduced, expired, or canceled without reasonable prior written notice to Subscriber. Below is a summary of the insurance coverages carried by Pulsara and does not include information regarding terms, conditions, deductibles, and exclusions. Upon request, Pulsara shall provide a Certificate of Insurance to Subscriber.

Policy Type

Per Occurrence Limit

Annual Aggregate / Policy Limit

Product Liability

$10MM

$10MM

Cyber Risk Liability

-Privacy and Security
-Technology E&O
-Privacy Breach Notification
-Cyber Extortion

 

$5MM

$5MM

$3MM

$3MM

$5MM

Umbrella, attaching to: 
-General Liability
-Auto Liability
-Employers Liability

$9MM

$9MM

General Liability

$1MM

$2MM

Auto Liability (Hired & Non-Owned)

$1MM

N/A

Workers' Compensation

Statutory

N/A

Employers’ Liability (BI by Accident, BI by Disease)

$1MM

$1MM

Crime

$500K

N/A

 

Exhibit A

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (“Addendum”) is entered into by and between the entity that has accepted, executed, or is otherwise legally bound by the Underlying Agreement (“Covered Entity”) and CommuniCare Technology, Inc. d/b/a Pulsara (“Business Associate”). This Addendum supplements, is incorporated into, and forms a part of the primary commercial agreement, terms of use, or master services agreement governing Business Associate’s provision of services to Covered Entity (the “Underlying Agreement”). This Addendum is effective upon the effective date of the Underlying Agreement or the date Business Associate first receives, maintains, or transmits PHI on behalf of Covered Entity, whichever occurs first (“Effective Date”).

RECITALS

  1. Covered Entity possesses Protected Health Information (“PHI”) that is protected under HIPAA Rules (as defined below), and wishes to ensure that Business Associate will appropriately safeguard such information; and

  2. Business Associate is licensing certain software and providing related technology to Covered Entity pursuant to the Underlying Agreement.

Based upon the above recitals and the mutual covenants in this Addendum, Covered Entity and Business Associate agree as follows:

1. Definitions

The following terms used in this Addendum shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Disclosure, Health Care Operations, Individual, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured and Use.

  1. Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Addendum, shall mean Pulsara.

  2. Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Addendum, shall mean the Covered Entity first written above.

  3. HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

  4. Part 2” shall mean the Confidentiality of Alcohol and Drug Abuse Patient Records under 42 CFR Part 2.

2. Permitted Uses and Disclosures

  1. Performance of Services. Business Associate may use and disclose PHI in connection with the performance of the services as described in the Terms of Use (“Services”) if such use or disclosure of PHI would not violate HIPAA Rules, or such use or disclosure is expressly permitted hereunder.

  2. Proper Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate in connection with the performance of Services described in the Terms of Use. Business Associate may disclose PHI for such proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if the disclosure is required by law or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

  3. Other Permitted Uses. Unless otherwise limited herein, the Business Associate may also: (1) perform Data Aggregation for the health care operations of Covered Entity; (2) may use, analyze, and disclose the PHI in its possession for the public health activities and purposes set forth at 45 C.F.R. § 164.512(b); (3) de-identify any and all PHI provided that Business Associate implements de-identification criteria in accord with 45 C.F.R. §164.514(b); and (4) may otherwise use and disclose the PHI as authorized by Covered Entity pursuant to the Terms of Use.

  4. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition.

3. Nondisclosure

  1. As Provided In The Addendum. Business Associate shall not use or further disclose PHI except as permitted or required by this BAA or as required by law.

4. Responsibilities of Business Associate

  1. Safeguards. Business Associate shall use appropriate safeguards to protect PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI not provided for by this Addendum.

  2. Business Associate’s Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to be bound by the same restrictions and conditions that apply to Business Associate with respect to such PHI.

  3. Reporting. Business Associate shall promptly report to Covered Entity any use or disclosure of PHI in violation of this Addendum or applicable law of which it becomes aware. Business Associate further agrees to promptly report to Covered Entity, without unreasonable delay but in no event later than ten (10) business days, any Successful Security Incident of which it becomes aware. In addition, Business Associate shall promptly report to Covered Entity, without unreasonable delay but in no event later than ten (10) business days, any Breach of Unsecured PHI.

    Notwithstanding the foregoing, the parties acknowledge that Business Associate routinely experiences Unsuccessful Security Incidents that do not result in unauthorized access to PHI or material compromise to the confidentiality, integrity, or availability of PHI or Business Associate’s systems. Covered Entity agrees that this Section constitutes ongoing notice of such Unsuccessful Security Incidents, and no additional notice shall be required for such events. Examples include, without limitation, pings, port scans, blocked intrusion attempts, unsuccessful log-in attempts, malware attempts, vulnerability scans, and denial-of-service attacks that do not result in system compromise.

  4. Mitigation. Business Associate shall have procedures in place to mitigate any deleterious effect from any use or disclosure of PHI in violation of this Addendum or applicable law.

  5. Cost Reimbursement. In the event of a Breach involving PHI maintained, used, or disclosed by Business Associate that is the fault of Business Associate, Business Associate shall reimburse Covered Entity for the reasonable cost of providing any legally required notice to affected individuals and the cost of credit monitoring for such individuals to the extent required by applicable law.

  6. Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this Addendum or applicable law.

  7. United States Department of Health and Human Services. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules; provided, however, that Business Associate shall promptly notify Covered Entity upon receipt by Business Associate of any such request for access by the Secretary, and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The parties’ respective rights and obligations under this Section shall survive termination of this Addendum.

5. Obligation to Provide Access and Accounting of PHI

  1. Access to PHI. To the extent Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access to, and copies of, PHI in accordance with HIPAA Rules.

  2. Amendment of PHI. To the extent Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with HIPAA Rules.

  3. Accounting of Disclosures of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA Rules. Business Associate shall make this information available to Covered Entity upon Covered Entity’s request.

  4. Forwarding Requests From Individual. In the event that any individual requests access to, amendment of, or accounting of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or Business Associate to violate HIPAA Rules, Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable.

6. Responsibilities of Covered Entity

Covered Entity will:

  1. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 as well as any changes to such notice;

  2. provide Business Associate with any changes in, or revocation of, permission by Individual to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures;

  3. notify Business Associate of any restriction to the use and/or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.

7. Indemnification

  1. Each party (the “Indemnifying Party”) agrees to indemnify, defend, and hold harmless the other party and its directors, officers, employees, contractors, and agents, (the “Indemnified Party”) against, and in respect of, any and all third-party claims, losses, expenses, costs, damages, obligations, penalties, and liabilities which the Indemnified Party may incur by reason of the Indemnifying Party’s breach of or failure to perform any of its obligations pursuant to this Addendum.

8. Term and Termination

  1. Term. This Addendum shall be effective as of the Effective Date, and shall continue until the earlier of when this Addendum is terminated in accordance with the provisions of this Section or the Underlying Agreement terminates.

  2. Termination 

    1. If Covered Entity determines that Business Associate has breached or violated a material term of this Addendum, Covered Entity may, at its option, pursue any and all of the following remedies:

      1. Take any reasonable steps that Covered Entity, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or

      2. Covered Entity may terminate the Underlying Agreement in the event of Business Associate’s uncured material breach of this Addendum following 30 days’ notice and opportunity to cure, if curable.

    2. If Business Associate determines that Covered Entity has breached or violated a material term of this Addendum, Business Associate may, at its option, pursue any and all of the following remedies:

      1. Take any reasonable steps that Business Associate, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or

      2. Terminate this Addendum in the event of Covered Entity’s uncured material breach of this Addendum following 30 days’ notice and opportunity to cure, if curable.

  3. Return or Destruction of Records. Upon termination of this Addendum for any reason, Business Associate shall return or destroy, as specified by Covered Entity, all PHI that Business Associate still maintains in any media, and shall retain no copies of such PHI. If Covered Entity, in its sole discretion, requires that Business Associate destroy any or all PHI in its possession, Business Associate shall certify to Covered Entity that the PHI has been destroyed. If return or destruction is not feasible, Business Associate shall inform Covered Entity of the reason it is not feasible and shall continue to extend the protections of this Addendum to such information and limit further use and disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible. The foregoing will not apply, however, to any PHI for which Business Associate has received from the applicable individual (with respect to whom the PHI pertains) authorization in accordance with HIPAA that Business Associate may retain such PHI for the purposes authorized by the individual. Business Associate’s obligations with respect to such PHI will become outside the scope of this Addendum and will be governed by HIPAA and the agreement between Business Associate and the individual.

9. Part 2 Responsibilities

  1. To the extent that in performing its services for Covered Entity, Business Associate uses, discloses, maintains, or transmits protected health information that is protected by Part 2, Business Associate: (1) will rely on Covered Entity to obtain necessary patient consent before Covered Entity transmits patient information subject to Part 2 through Business Associate’s Services; (2) acknowledges and agrees that in receiving, storing, processing or otherwise dealing with any such patient records, it must comply with the Part 2 regulations in connection with any requests for access by parties other than those with which Covered Entity communicates through Business Associate’s Service; and (3) if necessary, will resist in judicial proceedings any efforts to obtain access to patient information except as permitted by the Part 2 regulations.

  2. Notwithstanding any other language in this Addendum, Business Associate acknowledges and agrees that any patient information it receives from Covered Entity that is protected by Part 2 is subject to protections that prohibit Business Associate from disclosing such information to agents or subcontractors without the specific written consent of the subject individual.

  3. Business Associate acknowledges that any unauthorized disclosure of information under this section is a federal criminal offense.

10. General Provisions

  1. Conflict and Precedence. In the event of any direct conflict or inconsistency between the terms of this Addendum and the Underlying Agreement, the terms of this Addendum shall control solely with respect to the parties’ standard compliance obligations regarding HIPAA. For all other matters - including but not limited to financial liability caps, indemnification parameters, governing law, venue, and dispute resolution - the terms and conditions of the Underlying Agreement shall govern and control.

  2. State Law. Nothing in this Addendum shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.

  3. Amendment. Covered Entity and Business Associate agree that amendment of this Addendum may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security, and confidentiality of PHI, including, but not limited to, changes under the HIPAA Rules. This Addendum may not otherwise be amended except by written agreement between both parties.

  4. Attorney’s Fees. The prevailing party in any action or proceeding to enforce any of the provisions of this Addendum shall be entitled to recover reasonable attorneys’ fees, costs, and expenses incurred in connection with actions or proceedings.

  5. Waiver. The failure of either party to enforce any right or provision in this Addendum shall not constitute a waiver of such right or provision unless acknowledged and agreed to by that party in writing.

  6. Severability. If any provision of this Addendum is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.

  7. Assignment. The rights and/or obligations contained in this Addendum may not be assigned, delegated or otherwise transferred by either party (except to a direct or indirect parent or subsidiary) without the prior written approval of the other party, not to be unreasonably withheld, provided, however that either party may assign this Addendum in connection with a merger, consolidation or acquisition of a party resulting in a change of control or a transfer or sale of all or substantially all of the assets of either party. No assignment or delegation shall relieve either party of liability for its obligations hereunder.

  8. Counterparts. This Addendum may be executed in one or more counterparts, each of which may be deemed an original, but all of which constitute one and the same instrument. Delivery of an executed counterpart of a signature page of this Addendum by facsimile or other electronic transmission shall be effective as delivery of a manually executed counterpart of this Addendum.

  9. Notices. All notices, requests, or consents required or permitted under this Addendum will be in writing (including electronic form) to each party or to such other party and/or address as any of such parties may designate in a written notice served upon the other party in the manner provided for below. Each notice, request, consent, or other communication will be given and will be effective: (1) if delivered by hand, when so delivered; (2) if delivered by nationally recognized overnight courier service or sent by United States Express Mail, upon confirmation of delivery; (3) if delivered by certified or registered mail, on the third following day after deposit with the United States Postal Service.