IMPORTANT: These terms apply to all RDS and/or product and service purchases unless stated otherwise in a your customer contract.

Purchase Terms & Conditions

The terms and conditions of this event are listed below:

This Agreement represents the complete and exclusive agreement between Supplier and Customer concerning Customer’s use of the services and all related matters and supersedes all prior agreements, negotiations, or understandings between Supplier and Customer in any way relating to these matters. No other terms, conditions, representations, warranties or guarantees, whether written or oral, express or implied, will form a part of this agreement or have any legal effect whatsoever. This Agreement may not be modified except by a later written agreement signed by both parties.

By executing a copy of this Agreement or by using or accessing the Services (as defined herein) through any means, Customer acknowledges and agrees that: (i) it has reviewed and understands this Agreement; (ii) it agrees to be legally bound by the terms and conditions of this Agreement; and (iii) its use of the Services and any related products or services will be governed by this Agreement. By electronically agreeing below, Customer agrees to pay the fees for such services as are set out in Schedule 1, and comply with the attached Contract Terms (such terms and Schedule 1, together with this signing page, make up the entire agreement between Supplier and Customer).

CONTRACT TERMS

Supplier will make available to Customer (on a non-exclusive basis) the services indicated in Schedule 1 (the “Services”). Supplier will also provide Customer consulting services if indicated in Schedule 1. Customer will use the Services only for its own, internal business purposes, and will not resell them or otherwise make them available to any third party. Customer will not copy, frame or mirror any part or content of the Services, nor permit any third party to access the Services, except as such third party access is expressly agreed to between the parties in Schedule 1. The Customer further agrees to those further restrictions, if any, on Customer’s access to or use of the Services which are indicated in Schedule 1.

1. Payment: Customer will pay the fees set out in Schedule 1. Supplier may adjust these fees once each year. Customer will also pay for consulting services at Supplier’s then prevailing rates, including travel and related expenses if noted in Schedule 1. In order to continue to access the Services, Customer shall pay all annual fees as set out in Schedule 1 within thirty (30) days of every twelve (12) month anniversary of the Effective Date. Overdue accounts will be subject to interest at an annual rate of 12% (calculated and paid monthly). Customer will be responsible for paying all taxes levied on the Services (except taxes on Supplier’s net income). Supplier reserves the right to suspend the provision of Services for any period during which any fees remain unpaid after a period of (30) days beyond the Effective Date upon thirty (30) days’ prior written notice by Supplier to Customer.

2. Ownership: At all times Supplier will own all intellectual property rights (including copyright) in the Services, including all intellectual property rights in any software (other than any Third Party Components) to which access may be provided by means of the Services, and all upgrades, enhancements and modifications to them. At all times Customer will own all intellectual property rights in any data entered or submitted by the Customer by means of the Services (the “Customer Data”).

3. Confidentiality: Customer will hold in strict confidence and not disclose to third parties, or use for any purpose except to obtain the Services, any confidential information of Supplier, including the Services. Customer will not attempt to decompile or reverse engineer the Services. Customer will be responsible for all damages or costs incurred by Supplier related to Customer allowing third parties to access the Services. Supplier will hold in strict confidence and not disclose to third parties, or use for any purpose except to provide the Services, any confidential information of Customer, provided that Supplier may provide to third parties summary level data (being non-identifying customer data used only in the aggregate), and Supplier may disclose Customer Data if compelled by law to do so. The Supplier will have the right to issue a press release in respect of the execution of this Agreement or the work completed by Supplier under this Agreement.

4. Data: Customer will have sole and exclusive responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Customer will not send or store infringing, obscene, threatening, libelous or otherwise unlawful or tortious material, including material that is harmful to children, violates third party privacy rights, includes malicious code, or that will interfere with the integrity of the Services. Supplier will not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any Customer Data. Customer Data will be stored, located and processed in Amazon’s data centers in the United States or at data centers located in Canada, based on the Customer’s physical location, and Supplier will not keep any copies of any Customer Data.

5. Indemnities: Supplier will indemnify Customer in respect of any claim alleging that the Services infringe any copyright of a third party, provided Customer gives Supplier prompt notice of such claim and the right to control its defence. If following notice of such a claim, Supplier cannot settle it on reasonable terms, Supplier may terminate this Agreement with the sole obligation to refund to Customer any prepaid fees for any future period during which Customer will not be entitled to access the Services. Customer will indemnify Supplier in respect of any claim arising out of Supplier hosting data provided to it by Customer.

6. Warranty & Warranty Disclaimer: Supplier warrants that the Services will conform in all material respects to the documentation for the Services for a period of ninety (90) days from delivery to Customer. As Customer’s sole remedy for any breach of this warranty, if Customer brings to Supplier’s notice any incidence of non-conformance, Supplier will use reasonable efforts to correct the error. Supplier’s maintenance hours for receiving any such calls are set out in Schedule 1. EXCEPT FOR THESE WARRANTIES, CUSTOMER ACKNOWLEDGES THAT THE SERVICES, AND OTHER ITEMS PROVIDED BY SUPPLIER HEREUNDER, ARE PROVIDED “AS IS”, AND “WITH ALL FAULTS”, AND SUPPLIER DISCLAIMS ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTY AND CONDITION OF MERCHANTABLE QUALITY, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITATION, SUPPLIER DOES NOT WARRANT THAT THE SERVICES OR TRAINING WILL MEET ALL OF CUSTOMER’S REQUIREMENTS, OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. THE ENTIRE RISK AS TO SATISFACTORY QUALITY, ACCURACY, AND EFFORT IS WITH CUSTOMER. CUSTOMER ACKNOWLEDGES AND AGREES THAT IT HAS NOT RELIED ON ANY ORAL OR WRITTEN INFORMATION OR ADVICE, WHETHER GIVEN BY SUPPLIER OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS, OR EMPLOYEES. Supplier also makes no warranties regarding the Third Party Components. The parties agree that it is Customer’s responsibility to determine if the Services and other items provided hereunder are suitable for Customer’s requirements.

7. Limitation of Liability: Supplier’s entire liability under this Agreement or in any way related to the Services or consulting services will be limited to direct damages in an amount equal to the Fees paid to Supplier under this Agreement in the first twelve months after the execution of this Agreement. As well, Supplier will not be liable for any special, indirect, incidental or consequential damages arising from or related to this Agreement or in any way related to the Services or consulting services, including loss of revenue, profits or data (including due to a virus or otherwise), failure to realize expected savings, or claims against Customer by any third party, even if Supplier is advised of the possibility of such damages in advance. These limitations will apply regardless of how the claim arises, including for breach of contract or negligence. Supplier will also not be responsible for any failure to perform due to any events beyond Supplier’s control (including failures of the Internet).

8. Termination: Either party may terminate this Agreement for any reason by providing a 30 day written notice. Sections 3, 4, 6, 8, 11 and 12 will survive any termination of this Agreement. Upon termination, Customer may make a request, in writing, for the return of Customer Data. This request must be made within 30 days of the termination date provided for in the notice of termination. Customer acknowledges that Supplier has no obligation to maintain the Customer Data after 60 days beyond the termination date.

9. Assignment: This Agreement is assignable by Supplier without the consent of Customer. This Agreement is assignable by the Customer only with the prior, express written permission of Supplier. This Agreement is binding on the parties to this Agreement, and their successors and permitted assigns.

10. Governing Law: This Agreement will be governed by the laws in effect in the State of New York (exclusive of conflict of laws principles). The parties exclude the operation of the United Nations Convention on Contracts for the International Sale of Goods.

11. Disputes: Upon any dispute, controversy or claim between the parties, each of the parties will designate a representative from senior management to attempt to resolve such dispute. The designated representatives will negotiate in good faith in an effort to resolve the dispute over a period of thirty (30) days. If the dispute is not resolved in this 30 day period, the parties will submit the dispute to binding arbitration in the jurisdiction listed in Section 11, by a single arbitrator independent of both parties who is skilled in the legal and business aspects of the software industry.

12. Notices: All notices will be in writing, and will be deemed to be delivered two business days after being delivered by reputable international courier or when telecopied to the parties at the addresses shown on the signing page.

13. Amendment: This Agreement may only be modified by an instrument in writing signed by both parties.

14. Non-Waiver: No term of this Agreement will be deemed waived, and no breach of a term excused, unless the waiver or excuse is provided in writing and signed by the party issuing it.

15. Currency: All transactions between Customer and supplier will be in US dollars, unless otherwise noted in Schedule 1.

16. Independent Contractors: The relationship of the parties established by this Agreement is that of independent contractors. Nothing in this Agreement will be construed to permit either party to bind the other or to enter into obligations on behalf of the other party.

17. The Company agrees to include, at minimum, a provision in its patient-facing agreements outlining the Company’s use of patients’ personal health information in the course of developing customized meal plans. For Canadian Customers, the following language, or substantially similar language, must be included in such Agreements:

The Company is committed to safeguarding the confidentiality of your [the resident’s] personal health information. The Company will only collect, use, or disclose your personal health information in accordance with the provisions of The Personal Information Protection and Electronic Documents Act and its regulations or where otherwise permitted or required by law. The Company uses your personal health information for purposes related to the preparation of customized meal plans to promote your wellness. In this process, your personal health information will be shared with Computrition, Inc., a provider of fully integrated foodservices and nutrition management software systems, who will conduct nutrient analysis. The Company will not collect or use more information than is reasonably necessary to deliver customized meal plans. In the course of preparing meal plans, resident will be identified through an account number in order to ensure that the individual is not identified.

SCHEDULE 1

Services Description: The Services include access to the following online application(s) of the Supplier: RDS via an internet-based connection (via or such websites as may be designated by the Supplier from time to time) and a reasonable amount of support, consisting of: (a) answering Customer’s operational questions; (b) error correction for the Services; and (c) updating the Services as Supplier sees fit. Support will not include: problems caused by Customer’s error, or equipment, software or other items not supplied by Supplier, and Supplier’s work on such items will be billed separately at Supplier’s then prevailing rates.

Fees: Customer will provide payment of fees on the date Customer is first given access to the Services, and thereafter annually in advance.

Restrictions/Access Rights:

  • Currency: US Dollars.
  • Warranty Maintenance Hours: 7:30 a.m. to 7 p.m. ET time, Monday to Friday, exclusive of statutory holidays.

HIPPA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BAA”) is made and entered into between Customer (the “Company”) and Supplier (“Business Associate” or “BA”). RECITALS

1. Company is a “covered entity” within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the standards for the Privacy of Individually Identifiable Health Information (“Privacy Rule”), the standards for the Security of Electronic Protected Health Information (the “Security Rule”) and the Breach Notification Rule promulgated by the United States Department of Health and Human Services (“DHHS”) pursuant thereto.

2. BA provides Computer Software services to Company, which services necessarily involve the access to, generation of, use of, maintenance of, or disclosure of health information that identifies individual patients (“Protected Health information” or “PHI”) some of which is in electronic form (“Electronic Protected Health Information” or “EPHI”). Accordingly, BA is a business associate of Company pursuant to HIPAA, HITECH, the Privacy Rule, the Security Rule and the Breach Notification Rule.

3. Company is obligated by HIPAA, HITECH, the Privacy Rule and the Security Rule to obtain “satisfactory assurances” from its business associates as a precondition to permitting a business associate to access, generate, use, maintain, or disclose PHI and EPHI on its behalf or in the course of performing services for it.

4. For the foregoing reasons, Company and BA desire to enter into an agreement that complies with all the requirements of HIPAA, HITECH, the Privacy Rule and Security Rule regarding business associate “satisfactory assurances.

NOW, THEREFORE, in consideration of the foregoing and of the mutual promises contained herein, Company and BA agree as follows:

1. DEFINITION OF TERMS

1.1 Any terms used in this BAA that are defined in HIPAA, HITECH, the Privacy Rule, the Security Rule, or the Breach Notification Rule shall have the same meaning when used in this BAA as they have in HIPAA, HITECH, the Privacy Rule, the Security Rule and the Breach Notification Rule.

2. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1 BA is authorized to access, generate, maintain, use, disclose or transmit PHI and EPHI only as necessary and appropriate to provide computer software systems on behalf of or for Company.

2.2 Except as otherwise limited in this BAA, BA may also use PHI and EPHI for the proper management and administration of BA or to carry out the legal responsibilities of BA, and as required by law. BA may also use PHI and EPHI received from or pertaining to Company to deidentify the PHI or EPHI in any manner permitted by the Privacy Rule and the Office of Civil Rights guidelines regarding de-identification. Once de-identified, BA may use this data for any purpose since it is no longer PHI protected by HIPAA, HITECH, the Privacy Rule, the Security Rule, or the Breach Notification Rule.

2.3 BA shall not use or further disclose PHI and EPHI other than as permitted or required by this BAA or as required by law. BA acknowledges that it is obligated to independently comply with the Security Rule, certain provisions of the Privacy Rule as mandated by HITECH and the Privacy Rule, and the Breach Notification Rule, and that it may be directly liable to the government for fines and other sanctions imposed by DHHS, and the State Attorney General for non-compliance.

2.4 BA agrees to use appropriate safeguards to prevent use or disclosure of PHI and EPHI other than as provided for by this BAA. BA further agrees to implement the requirements of the Security Rule to protect EPHI in its possession, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of Company. “Appropriate Safeguards” include, but are not limited to, physical, administrative and technical safeguards such as locking cabinets or rooms where PHI is housed, using computer passwords or other security measures to prevent unauthorized access to PHI in electronic format, providing encryption or comparable protection for EPHI at rest and in motion, implementing policies and procedures describing authorized access and use for BA’s work force, and human resources policies and procedures to enforce these rules.

2.5 In making a permitted or required use or disclosure of PHI or EPHI, BA shall comply with Company’s minimum necessary requirements stated in Company’s policies and procedures.

2.6 BA agrees to perform such activities as are necessary or appropriate to mitigate, to the extent practicable, any harmful effect that is either independently known to BA or brought to BA’s attention by Company, as a result of a wrongful use or disclosure of PHI or EPHI by BA. This obligation is in addition to the obligations stated in paragraph 2.7 of this BAA.

2.7 BA agrees to report to Company any use or disclosure of PHI or EPHI in violation of this BAA. BA further agrees to report to Company any security incident regarding EPHI of which it becomes aware. Without limiting the generality of the foregoing, BA agrees to notify Company of any Breach (as that term is defined in HITECH and the Breach Notification Rule) of unsecured PHI or EPHI that BA discovers or should have discovered. BA shall provide such notification of a Breach within five (5) business days of the date upon which it discovered the Breach. BA shall provide to Company the names, addresses, telephone numbers, and email addresses of each individual affected by a Breach, along with a description of the data involved in the Breach, a description of how the Breach occurred, and a description of all internal steps that the BA has taken to prevent a future similar Breach. BA shall cooperate with Company in the preparation and distribution of notices of the Breach to the affected individuals, and with providing notice to DHHS and media outlets as required by HITECH and the Breach Notification Rule.

2.8 BA agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI or EPHI received from, or created or received by BA on behalf of Company, agrees to the same restrictions and conditions that apply through this BAA to BA, including that each such agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect EPHI. BA shall accomplish this by executing a proper Business Associate Agreement with each such subcontractor, as described in the Privacy Rule, that is at least as stringent as this BAA. BA further agrees that no subcontractors from foreign countries will be used, without the prior express written consent of the Company.

2.9 BA agrees to notify Company within five (5) business days of receipt of a request by an individual for access to the Individual’s PHI or EPHI. Once Company has determined that the individual is entitled to access to the requested PHI or EPHI pursuant to the Privacy Rule and so notifies BA (whether the Individual’s request was first made to BA or directly to Company), then BA shall provide access to PHI and EPHI in a Designated Record Set to an Individual or to an Individual’s designee with respect to EPHI, in order to meet the inspection and copying requirements of the Privacy Rule. If the Company determines that the Individual is not permitted access to PHI or EPHI pursuant to the Privacy Rule, then BA shall take such action as the Company requests in order to satisfy the Company’s obligations under the Privacy Rule for denied requests for access.

2.10 BA agrees to notify Company within five (5) business days of receipt of a request by an individual to amend the Individual’s PHI or EPHI. When notified by Company that Company has agreed to an Individual’s request for an amendment to the individual’s PHI or EPHI, BA shall make the amendment(s), and incorporate such amendments into the PHI and EPHI in its possession. If Company does not agree to a requested amendment, BA shall take appropriate steps as necessary to satisfy Company’s obligations respecting an Individual’s amendment rights under the Privacy Rule.

2.11 To the extent that BA is required pursuant to this BAA to carry out one or more of Company’s obligations under the Privacy Rule, BA shall comply with the requirements of the Privacy Rule applicable to the Company’s performance of such obligation.

2.12 BA agrees to make its internal practices, books, and records relating to its use and disclosure of PHI and EPHI available to Company or the Secretary of DHHS (or his/her designee), for purposes of the Secretary of DHHS (or his/her designee) determining Company’s and the BA’s compliance with HIPAA, HITECH, the Privacy Rule, the Security Rule, and the Breach Notification Rule, or for purposes of private Company auditing and monitoring of BA’s performance.

2.13 BA agrees to document all disclosures of PHI and EPHI and information related to such disclosures as would be required for Company to respond to a request by an Individual for an accounting of disclosures of PHI and EPHI in accordance with the Privacy Rule and HITECH. Within five (5) days of Company’s request, BA shall provide to Company the information so collected to permit Company to respond to a request by an Individual for an accounting of disclosures of PHI and EPHI. To the extent that BA holds PHI or EPHI from an Electronic Health Record used by Company, BA further agrees to provide to a requesting Individual an accounting of disclosures of EPHI it has made, including an accounting of disclosures for treatment, payment and health care operations during the three years prior to the Individual’s request. If an Individual makes a request for an accounting of PHI or EPHI directly to BA in circumstances in which BA does not hold EPHI from an EHR, then BA shall notify the Company of the request within five (5) days of receiving the request from the Individual and provide the Company with the information about disclosures that BA has documented, in the same manner as if the Individual’s request was made directly to the Company.

2.14 BA agrees to honor any restriction on the use or disclosure of PHI or EPHI that Company agrees to, provided that Company notifies BA of such restriction.

2.15 BA shall establish specific procedures and mechanisms to implement BA’s obligations pursuant to HIPAA, HITECH, the Privacy Rule, the Security Rule, the Breach Notification Rule, and this BAA. Such procedures and mechanisms shall be in writing, and shall be available to Company for review upon request.

2.16 BA shall require each member of its work force that has contact with PHI and EPHI in the course of providing services to Company to sign a statement indicating that the work force member has read this BAA, understands its terms, and agrees to abide by them, including without limitation, the obligation not to use or disclose PHI and EPHI except as necessary and appropriate to carry out the services being performed by BA for or on behalf of Company. BA will make such signed statements available to Company upon request.

2.17 Under no circumstances should the Business Associate’s liability pursuant to this BAA exceed the amount set forth under Section 8 (Limitation of Liability) in the Terms and Conditions established between the Business Associate and the Company. The Company and the Business Associate agree that the limitation of liability set forth under Section 8 (Limitation of Liability) in the Terms and Conditions established between the Business Associate and the Company will apply, in aggregate, to any claims arising under the Terms or Conditions, the BAA or otherwise in connection with the services provided by the Business Associate.

3. OBLIGATIONS OF COMPANY

3.1 Company shall provide BA with the notice of privacy practices and minimum necessary policy that Company produces in accordance with the Privacy Rule, as well as any changes to such notice or policy.

3.2 Company shall notify BA of any restriction to the use or disclosure of PHI and EPHI that Company has agreed to in accordance with the Privacy Rule.

3.3 Company shall not request BA to use or disclose PHI or EPHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Company, except for uses of PHI for the proper administration and management of BA or as required by law.

4. TERM AND TERMINATION

4.1 The term of this BAA shall commence on the date of execution of this agreement and shall continue conterminously with the term of all services being performed by BA for or on behalf of Company that necessarily and routinely involve PHI and EPHI, unless sooner terminated in accordance with paragraph 4.2 hereof.

4.2 Upon Company’s knowledge of a material breach by BA, or BA’s knowledge of a material breach by Company, Company or BA (as applicable) shall, at its sole option, do either of the following:

4.2.1 Provide a 15 day opportunity for the non-breaching party to cure the breach to the satisfaction of the non-breaching party, or terminate this BAA and the services relationship with BA if the breaching party does not cure the breach to the satisfaction of the non-breaching party, or

4.2.2 Immediately terminate this BAA and the services relationship with BA without an opportunity to cure if the non-breaching party determines, in its sole discretion, that cure is not possible.

4.3 In addition to the termination for cause provisions stated in paragraph 4.2, this BAA may also be terminated in any of the following circumstances:

4.3.1 The services relationship between BA and Company is terminated for any reason;

4.3.2 The provisions of HIPAA, HITECH, the Privacy Rule or the Security Rule are amended, modified or changed such that this BAA is no longer mandated;

4.3.3 By the mutual agreement of Company and BA, provided that if the services relationship continues to require BA to access, use, generate, maintain, disclose or transmit PHI or EPHI, a new BAA between Company and BA must be substituted.

4.4 Effect of Termination.

4.4.1 Except as provided in paragraph 4.4.2, upon termination of this BAA for any reason, BA shall return or destroy all PHI and EPHI received from Company, or created or received by BA on behalf of Company. This provision shall apply to PHI and EPHI that is in the possession of subcontractors or agents of BA. BA shall retain no copies of PHI or EPHI.

4.4.2 In the event that BA believes that returning or destroying PHI or EPHI is infeasible, BA shall provide to Company an explanation of the conditions that make return or destruction infeasible. Upon Company’s concurrence that return or destruction of PHI or EPHI is infeasible, BA shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI and EPHI to those purposes that make the return or destruction infeasible, for so long as BA maintains such PHI or EPHI.

4.4.3 If this BAA is terminated and not immediately replaced with a substitute business associate agreement, and if the Privacy Rule or the Security Rule in effect at that time continues to mandate the execution of a business associate agreement between covered entities and their business associates, then the services relationship between BA and Company shall immediately terminate simultaneously with this BAA, to the extent that BA’s services continue to necessarily and routinely involve access, use, generation, maintenance, disclosure or transmission of PHI or EPHI.

5. GENERAL PROVISIONS

5.1 BA agrees that the terms and conditions of this BAA shall be construed as a general confidentiality agreement that is binding upon BA even if it is determined that BA is not a business associate as that term is used in HIPAA, HITECH, the Privacy Rule or the Security Rule.

5.2 Company and BA shall not be deemed to be partners, joint ventures, agents or employees of each other solely by virtue of the terms and conditions of this BAA. BA is an independent contractor of Company for all purposes, including the application of the federal common law.

5.3 This BAA shall not be modified or amended except by a written document that is signed by both parties. Company and BA agree to modify or amend this BAA if HIPAA, HITECH, the Privacy Rule, the Security Rule, or the Breach Notification Rule change in a manner that affects the terms and conditions of this BAA, or the obligations of covered entities and/or business associates.

5.4 Any communications between Company and BA regarding this BAA shall be in writing, whether or not oral communications have also occurred. Written communications may be sent by certified or registered U.S. Mail, receipted courier service, receipted hand delivery, receipted fax, or by receipted email.

5.5 No waiver of any provision of this BAA, including this paragraph, shall be effective unless the waiver is in writing and signed by the party making the waiver.

5.6 This BAA is entered into solely for the benefit of the parties, and is not entered into for the benefit of any third party, including without limitation, any patients of Company or their legal representatives.

5.7 This BAA is not assignable or delegable without the express advance written consent of the party not seeking to assign or delegate.

5.8 This BAA shall be governed by and construed in accordance with the laws of the United States of America and the laws of the state of California. This BAA shall be interpreted and construed so as to render it compliant with HIPAA, HITECH, the Privacy Rule, the Security Rule, and the Breach Notification Rule.

5.9 If any provision of this BAA is determined by a court of competent jurisdiction to be invalid or unenforceable, this BAA shall be construed as though such invalid or unenforceable provision were omitted, provided that the remainder of this BAA continues to satisfy all of HIPAA, HITECH, the Privacy Rule, and the Security Rule requirements for a business associate agreement. If it does not, then the parties shall immediately renegotiate this BAA so that it does comply with the requirements of HIPAA, HITECH, the Privacy Rule, and the Security Rule or terminate this BAA and the service relationship between the BA and Company to the extent that BA’s services necessarily and routinely involve access, use, generation, maintenance, disclosure or transmission of PHI or EPHI.

5.10 This BAA contains the entire agreement between the parties pertaining to this subject matter, and supersedes all prior understandings, whether written or oral, regarding the same subject matter.

5.11 The provisions of this BAA dealing with breach notification, the construction of this BAA as a general confidentiality agreement, and BA’s obligations to return or destroy PHI and EPHI upon termination shall survive the termination of this BAA for any reason.