DRFIRST
FACILITY MASTER SERVICES AGREEMENT
This Facility Master Services Agreement (“MSA”) is entered into by and between DrFirst.com, Inc. (“DrFirst”) and the entity identified on the DrFirst webstore, including its affiliates and subsidiaries (referred to collectively, as “Company”), as of the date of execution, as shown on the DrFirst webstore (the “Effective Date”). This MSA is intended to operate together with one or more product addendums (each, an “PA”).This MSA, any PAs, and any exhibits incorporated therein are hereinafter referred to, collectively, as “the Agreement.” In the event of a conflict between this MSA and an PA the terms of the PA shall govern.
I. DrFirst Services. DrFirst provides software applications, platforms, and services for electronic prescribing, medication management, secure texting, and related products (“the Applications”) for use by Authorized End Users. As used herein, the term Authorized End User means an individual who (i) has registered with DrFirst as a user of an Application; (ii) is authorized by virtue of such individual’s relationship to, or permissions from, Company to access DrFirst Applications pursuant to the PA; and (iii) has executed the terms of use agreement applicable to the Application. Access to Applications provided by DrFirst shall be subject to the terms of this Agreement.
II. Company Obligations for all Applications. Company shall identify an individual employee or representative who shall register with DrFirst as the “Application Administrator” to administer each Application described in a PA. After the initial registration, Company shall be responsible for granting and revoking access to the Application through its administrative features. Company shall obtain consents or authorizations from patients to allow Company to use and disclose patient information and records through the Applications. Company shall ensure that Company’s use of the Application, and access by Authorized End Users, complies with applicable laws and regulations. To the extent applicable, Company shall ensure that it’s Authorized End Users use the most up to date version of the Applications and will be responsible for any failure to do so. Company’s Authorized End Users must execute DrFirst’s terms of use, as updated from time to time, prior to use of any Application. Detailed Company obligations are established in the PA. Company must execute and abide by the Business Associate Agreement attached hereto as Exhibit A.
III. Ownership of Software, Products and Intellectual Property. Subject only to the limited rights expressly granted to Company in an PA, DrFirst has sole and exclusive rights to the DrFirst Brand, the Application, the software associated with the Application, including interface software, and all related materials, including all copies thereof in any form or medium, whether now known or existing or hereafter developed, and including all copyrights, patents, trade secrets, trademarks, trade names and intellectual property rights associated therewith. All goodwill arising in or from the DrFirst Brand shall inure solely to DrFirst’s benefit. Company shall not: (i) attempt to de-compile, reverse assemble, reverse engineer, or attempt to gain access to the source code of any software furnished by DrFirst; (ii) import, add, modify or create derivative works of any such software or user materials; (iii) delete data in any such software database by any method other than direct data entry through the Application, or through a DrFirst developed interface; or (iv) remove any proprietary notices, labels, or marks from any software or user materials provided by DrFirst. The software, user materials, and other rights granted herein may not be transferred, leased, assigned, or sublicensed without DrFirst’s prior written consent, except to a successor in interest of Company’s entire business who assumes the obligations of the Agreement. In the event of any unauthorized transfer, Company’s rights under the Agreement shall automatically terminate.
IV. Confidentiality. During the performance of this Agreement, each party may have access to certain confidential information of the other party or third parties (“Confidential Information”). Both parties agree that all Confidential Information is proprietary to, and shall remain the sole property of, the disclosing party or such third party, as applicable. Each party receiving Confidential Information shall (i) use the Confidential Information only for the purposes described herein; (ii) not reproduce the Confidential Information except as minimally necessary to use under this Agreement; (iii) hold in confidence and protect the Confidential Information from dissemination to, and use by, any third party; (iv) not create any derivative work from Confidential Information ; (v) restrict access to the Confidential Information to such of its personnel, agents, and/or consultants, if any, who have a need to have access for purposes of performing said party’s obligations hereunder and who are under an obligation of confidentiality with respect to the Confidential Information; and (vi) return or destroy all Confidential Information in its possession upon termination or expiration of the Agreement. Confidential Information does not include information that is: (i) publicly available or in the public domain, through no fault of the recipient; (ii) already in the recipient’s possession free of any confidentiality obligations with respect thereto at the time of disclosure; (iii) independently developed by the recipient without access or reference to the Confidential Information disclosed by the other Party; (iv) approved for release or disclosure by the disclosing Party without restriction.
V. Compliance With Privacy Laws. The parties agree to comply with all applicable state and federal laws and regulations governing the protection of protected health information, including, but not limited to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, all implementing laws and regulations related thereto, and the Business Associate Agreement attached hereto as Exhibit A and incorporated by reference.
VI. Data Handling. DrFirst may de-identify any and all protected health information and other data provided to it by Company. De-identified data may be used for any lawful purpose; provided, however, that the use does not identify Company or the Authorized End User, except as may be provided in a PA. Company shall allow DrFirst and Surescripts, without notice, the ability to access, inspect, and review all records related to information and Medication History Information provided by or through the Surescripts network through the Application.
VII. Use of Medication History Information. Company agrees that it will only use medication history information provided by an Application (“Medication History Information”) for the purpose of providing direct health care services to a Company patient. Certain services are provided over a network operated by Surescripts, LLC (“Surescripts”). Company acknowledges that the Medication History Information provided hereunder may not be complete or accurate, and neither DrFirst, Surescripts, nor any pharmacy or other entity providing information under the Medication History Service provides any representations or warranties with respect to the accuracy or completeness of the Medication History Information. Company releases and holds harmless DrFirst, Surescripts, and any person or entity providing Medication History Information from any liability, cause of action, or claim related to the completeness or lack thereof of the Medication History Information. Company is not required to release and hold harmless any party whose conduct is found to be willfully malicious or reckless or grossly negligent. Company agrees to confirm the accuracy of the Medication History Information with the patient prior to providing any medical services based thereon and Company agrees that its Authorized End Users shall use their professional judgment in the provision of care. Company acknowledges that the Medication History Service shall be used only for those patients from whom Company has obtained prior consent of the patient to access such patient’s medication history. Other than in the course of treatment for the Company’s patient, Company shall not provide the Medication History Information to any other person or entity for any reason whatsoever, or use the Medication History Information for any other purpose. Company shall implement appropriate administrative, technical, and physical safeguards to prevent any use or disclosure of any data provided hereunder for any purpose not authorized by this Agreement. Company shall not use any Medication History Information for any reason, whether in aggregated form or otherwise, except for the sole purpose of treating a Company patient.
VIII. Influencing of Providers. Company shall not use any means, program, or device to influence or attempt to influence the decision of an Authorized End User to write a prescription for a certain medication or to send the prescription to a certain pharmacy. Information related to formulary and benefit plan design and information from payers or other reputable sources providing clinical information shall be exempt from this prohibition, so long as the Authorized End User can still access all pharmaceuticals and the Authorized End User or patient is not prohibited from selecting a pharmacy. `
IX. Availability of Data Sources. Company acknowledges and agrees that any pharmacy, pharmacy benefit manager, payer or plan may elect not to receive prior authorizations from Company or Company’s Authorized End Users. Company acknowledges and agrees that any pharmacy benefit manager, pharmacy, payer, or other source of data may be added or deleted at any time without prior notice to Company.
X. Audit Rights. Company shall allow DrFirst, without notice, the ability to access, inspect, and review all records related to the services provided by DrFirst through its application.
XI. WARRANTIES AND DISCLAIMERS. EXCEPT AS EXPRESSLY SET FORTH HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DRFIRST DISCLAIMS ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND/OR NON-INFRINGEMENT. DRFIRST DOES NOT WARRANT THAT THE APPLICATION WILL MEET COMPANY’S REQUIREMENTS OR THAT THE OPERATION OF THE APPLICATION WILL BE UNINTERRUPTED OR ERROR-FREE.
XII. LIMITATION OF LIABILITY. IN NO EVENT SHALL DRFIRST OR ANY OF ITS LICENSORS, AGENTS OR REPRESENTATIVES BE LIABLE TO COMPANY OR ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, LOST PROFITS, OR BUSINESS INTERRUPTION, EVEN IF DRFIRST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL DRFIRST BE LIABLE TO COMPANY ON ACCOUNT OF ANY LOSS OR CLAIM CAUSED BY THE FAILURE OF COMPANY OR ANY OF ITS EMPLOYEES, AGENTS, PROVIDERS OR REPRESENTATIVES TO PERFORM ANY OBLIGATIONS UNDER THIS AGREEMENT. THE CUMULATIVE LIABILITY OF DRFIRST TO COMPANY FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY, WILL NOT EXCEED THE TOTAL AMOUNT OF LICENSE FEES PAID TO DRFIRST BY COMPANY, WITH RESPECT TO THE APPLICATION UPON WHICH THE CLAIM IS BASED, DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE ACT, OMISSION OR EVENT GIVING RISE TO SUCH LIABILITY
XIII. Indemnification. DrFirst agrees to hold, harmless, indemnify, and, at Company’s option, defend Company from and against any losses, liabilities, costs (including reasonable attorneys’ fees) or damages resulting from: (i) misuse of data by DrFirst in violation of Section V; (ii) any breach by DrFirst of Confidentiality obligations in Section IV; and (iii) an Infringement Claim which, for this purpose, means a claim by any third party that an Application, infringes that third party’s U.S. patents issued as of the effective date of the applicable PA, or infringes or misappropriates such third party’s copyrights or trade secret rights under applicable laws of any jurisdiction within the United States of America. Company agrees to hold harmless, indemnify, and, at DrFirst’s option, defend DrFirst from and against any losses, liabilities, costs (including reasonable attorneys’ fees) or damages resulting from: (i) use by an Authorized End User or third party end user that has not executed the terms of use; (ii) misuse of data in violation of Section VII; (iii) any breach of Confidentiality obligations in Section IV; and (iv) any material breach of the Agreement that gives rise to liability of DrFirst to a third party. A party claiming indemnification must promptly notify the indemnifying party, in writing, of a potential claim and must cooperate with the indemnifying party. The indemnifying party will not settle any third-party claim against the indemnified party unless such settlement completely and forever releases the indemnified party from all liability with respect to such claim or unless the indemnified party consents to such settlement. Except with respect to Infringement Claims, the indemnified party will have the right, at its option, to defend itself against any such claim, through counsel reasonably acceptable to the indemnifying party, or to participate with the indemnifying party in the defense thereof through counsel of its own choice. With respect to Infringement Claims, DrFirst shall have the sole authority to control the defense and settlement of such claim and may, in its sole discretion, (i) acquire for Company the right to continue use of the Application; (ii) modify or replace any infringing Application to make it non-infringing; or (iii) direct Company to cease use of, and, if applicable, return, such materials as are the subject of the Infringement Claim. DrFirst shall reimburse Company for all product and service fees necessitated by any such Infringement Claim. DrFirst shall not be obligated to indemnify Company for an Infringement Claim if the alleged infringement arises, in whole or in part, from: (i) modification of the Application by Company; (ii) combination, operation or use of the Application with other software, hardware or technology not provided by DrFirst, if such infringement would have been avoided by use of the Application alone; or (iii) use of a superseded or altered release of the Application, if such infringement would have been avoided by the use of a then-current release of the Application and if such then-current release has been made available to Company.
XIV. Term and Termination. This MSA will be enforceable from the Effective Date and as long as a PA remains in effect; provided, however that either Party may terminate the Agreement if the other party has breached the Agreement and failed to cure such breach within thirty (30) days of written notice setting forth, in reasonable detail, the nature of the breach and the action necessary to cure. This Agreement also may be terminated by either party immediately upon written notice in the event that the other party makes a general assignment for the benefit of creditors or files a voluntary petition in bankruptcy or for reorganization or rearrangement under the bankruptcy laws, or if a petition for involuntary bankruptcy is filed against the other party and is not dismissed within thirty (30) calendar days after the filing, or if a receiver or trustee is appointed for all or any part of the property or assets of such other party. Notwithstanding the foregoing, after three months of non-payment, DrFirst may terminate the Agreement for cause and rescind access to the Rcopia and EPCS Gold Applications; such remedy shall be in addition to any and all other remedies available to DrFirst. DrFirst shall give Company at least fourteen (14) days written notice prior to rescinding access for non-payment.
XV. Notices. All notices given pursuant to the Agreement shall be in writing and delivered either personally, via a nationally recognized overnight carrier, or by certified mail, return receipt requested, postage prepaid to the addresses set forth on the signature page of this MSA or an PA. Either party may change its address by specifying such change in a written notice given to the other in the aforesaid manner. A copy of any notice directed to DrFirst shall be sent to the attention of the DrFirst.com, Inc., Legal Department, 9420 Key West Avenue, Suite 101, Rockville, MD 20850, with a courtesy e-mail to: dfnotice@drfirst.com.
XVI. Miscellaneous. This MSA may not be modified except by a written agreement signed by authorized representatives of each party. No waiver of rights hereunder shall be binding unless contained in a writing signed by an authorized representative of the party waiving its rights. The non-enforcement of any provision in a particular instance shall not constitute a waiver of such provision on any other occasion. No rights or obligations of a party may be assigned in whole or in part by either party without the prior written consent of the other; provided, however, that a reorganization, merger, consolidation, acquisition, or restructuring involving all, or substantially all of the voting securities and/or assets of a party shall not be deemed a prohibited assignment. Neither party shall be liable for failure to perform any of its obligations hereunder if such failure is caused by an event outside its reasonable control, including, but not limited to, an act of God, shortage of materials, personnel or supplies, war, or natural disaster. If any provision of this MSA is declared invalid by a court of competent jurisdiction, such provision shall be ineffective only to the extent so declared, so that all remaining provisions of this MSA shall be valid and enforceable to the fullest extent permitted by applicable law. This MSA shall be governed by and interpreted in accordance with the laws of the state of Maryland, without regard to conflicts of law principles thereof. Any claims or disputes arising under this MSA or any Addendum shall be resolved in the state or federal courts in the State of Maryland and each of the parties hereby irrevocably submits to the exclusive jurisdiction of such courts. Under no circumstances, shall the Agreement or any part thereof be subject to the Uniform Computer Information Transaction Act. The parties recognize and agree that their obligations under sections III, IV, VI, VII, XII, and XIII above shall survive the cancellation, termination or expiration of this MSA.
EXHIBIT A DRFIRST FACILITY MASTER SERVICES AGREEMENT
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made and entered into as of the earliest date on which both the MSA and an PA have been executed by the parties (“Effective Date”) by and between DrFirst.com, Inc. (the “Business Associate,” as further defined below), whose address is 9420 Key West Avenue, Suite 101, Rockville, MD 20850, and Customer (“Covered Entity,” as further defined below), (collectively, the “Parties”).
WHEREAS, Customer is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) and DrFirst.com, Inc. is a “Business Associate” as defined under HIPAA;
WHEREAS, Business Associate has contracted with Covered Entity to provide certain services to or on behalf of Covered Entity (“Service Agreement”), and Covered Entity may provide Business Associate with Protected Health Information or may require Business Associate to create, use, maintain, or transmit Protected Health Information on behalf of Covered Entity;
WHEREAS, the parties enter into this Agreement for the purpose of ensuring compliance with HIPAA and relevant implementing regulations, including the Privacy Rule, the Security Rule, and the Breach Notification Rule;
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
I. DEFINITIONS AND INTERPRETATION
a. Definitions Generally.
i. “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
ii. “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
iii. “Electronic Protected Health Information” or (“EPHI”) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.
iv. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
v. “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
vi. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
vii. Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
b. Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations or any binding interpretation thereof, said conflict will be resolved in favor of the regulations. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.
c. State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.
d. Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.
II. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE
a. Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI as permitted by the Security Rule, as permitted by this Agreement or the Services Agreement, and as necessary to perform functions, activities or services for or on behalf of the Covered Entity including but not limited to: (i) Facilitating the processing of administrative, clinical and financial healthcare transactions; (ii) Treatment of patients of the Covered Entity; and (iii) Establishing and maintaining Business Management Programs.
b. Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.
c. De-Identification. The Business Associate may de-identify PHI received or created pursuant to the Service Agreement consistent with 45 C.F.R. § 164.514.
d. Other Permitted Uses. The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.
e. Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if: (i) Required By Law; and/or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person and Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.
f. Report Violations of Law. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
III. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
a. Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement
b. Safeguards against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
c. Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
d. Agreements with Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.
e. Obligations on Behalf of the Covered Entity. To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
f. Access to PHI. The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
g. Amendment of PHI. The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity for purposes of amendment per 45 C.F.R. § 164.526. The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity. If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.
h. Accounting of Disclosures. The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure. The Business Associate shall provide to Covered Entity information necessary to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.
i. Retention of Protected Health Information. Notwithstanding Section VII of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section III(h) of this Agreement for a period of six (6) years after termination of the Service Agreement.
j. Minimum Necessary. The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
k. Availability of Information. For the purpose of the Secretary determining the Covered Entity’s compliance with the Privacy Rule, the Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.
IV. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
a. Compliance with the Security Rule. The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
b. Subcontractors. The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.
c. Security Incident/Breach Notification Reporting. The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.
V. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
a. Notification Requirement. To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach.
b. Content of Notification. Any notice referenced above in Section V(a) of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.
VI. OBLIGATIONS OF THE COVERED ENTITY
a. Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
b. Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
c. Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
d. Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.
VII. TERM AND TERMINATION
a. Term. The term of this Agreement shall be enforceable as of the Effective Date and shall terminate upon the expiration or termination of the Services Agreement.
b. Termination for Cause. Upon the Covered Entity’s knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.
c. Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall continue to extend the protections of this Agreement to all PHI received from Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. Business Associate shall limit further uses and disclosures of PHI for so long as the Business Associate maintains such PHI.
d. Retention of Certain Information. The Covered Entity understands and agrees that information generated through the use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.
VII. MISCELLANEOUS
a. Indemnification. In the event that there is a breach of privacy with respect to PHI under this BAA, the party causing the breach will indemnify the other party and its officers and directors for all actual damages, costs and attorneys’ fees caused by the breach, including but not limited to the actual costs of providing patient notice as a result of the breach.
b. LIMITATION OF LIABILITY. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, COSTS OF DELAY, ANY FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR DOCUMENTATION, OR LIABILITIES TO THIRD PARTIES ARISING FROM ANY SOURCE, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
c. Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.
d. Amendments. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.
e. Survival. The respective rights and obligations of Business Associate under Article III of this Agreement shall survive the termination of this Agreement.
f. Entire Agreement. This Agreement is the entire agreement between the Parties with regard to its subject matter and shall supersede any prior agreements.
g. Notice. Any notices required or relating to this Agreement shall be in writing and shall be sent by means of certified mail, postage prepaid, or reputable commercial carrier.
If to Business Associate:
Attn: Legal
9420 Key West Avenue
Suite 101
Rockville, MD 20850
With a courtesy email to df_legal@drfirst.com
PRODUCT ADDENDUM
FOR RCOPIA (AMBULATORY)
I. OVERVIEW.
This Product Addendum (“PA”) is entered into by and between DrFirst.com, Inc. (“DrFirst”) and the entity identified on the DrFirst webstore, including its affiliates and subsidiaries (referred to, collectively, as “Company”). This PA is incorporated into a certain Master Services Agreement (“MSA”) entered into by the undersigned parties. In the event of a conflict between this PA and the MSA, the terms of this PA shall govern. Unless otherwise defined herein, capitalized terms used in this PA shall have the meanings used in the MSA.
II. RCOPIA AMBULATORY LICENSE. Subject to the terms of this PA, the MSA, and applicable law, DrFirst grants to Company the number of licenses shown on the accompanying Pricing Addendum to access DrFirst’s Rcopia Application (“Rcopia”). Rcopia is DrFirst’s web-based electronic prescription writing application and service which allows a person who has the legal authority to sign prescriptions (a “Licensed Medical Professional”), working in the ambulatory environment, to enter and send prescriptions electronically to a US pharmacy. Only a Licensed Medical Professional who is an Authorized End User (as defined in the MSA) may send prescriptions through Rcopia. Rcopia provides clinical and formulary alerts as prescriptions are written. Rcopia also provides health plan eligibility verification, formulary lookup, and medication history. Included with the prescription data entry system is DrFirst’s service of monitoring the prescription network to ensure delivery of all prescriptions. DrFirst’s service ensures that if a failed prescription is not delivered to the appropriate pharmacy on a timely basis, the user will be notified. DrFirst shall offer training of Company personnel who shall have access to the Rcopia as needed.
III. COMPANY OBLIGATIONS. Company is required to provide DrFirst with the proper data and server access in order for DrFirst to be able to provide the Application interface services. Company agrees to remain, and to cause all of its Authorized End Users to remain, bound by any and all obligations and restrictions set forth in any Business Associate Agreement (“BAA”) and Terms of Use (“TOU”) available at https://www.drfirst.com/rcopia-terms-of-use/.
IV. PRICING AND PAYMENT. Under the terms of this PA and underlying Agreement, Company shall pay DrFirst the Fees for the Rcopia application in accordance to the selection on the DrFirst Webstore.
DrFirst will invoice Company on a yearly basis and Company agrees to remit full payment of each invoice no later than thirty (30) days from the date on the invoice. Company agrees to pay interest at the rate of 1.5% per month, or the highest legal rate, whichever is less, on all overdue amounts.
TERM AND TERMINATIONS. Subject to the termination provisions of the MSA, the term of this Product Addendum begins upon execution of this PA and shall continue for an initial term of twelve (12) months (“Initial Term”). In absence of termination, the License shall automatically renew for successive one-year terms unless either party provides notice, at least sixty (60) days prior to the end of the then current term or renewal term, of its intention not to renew.
PRODUCT ADDENDUM
FOR ELECTRONIC PRESCRIBING of CONTROLLED SUBSTANCES GOLD
(EPCS GOLD) – ONLY APPLICABLE FOR EPCS GOLD PURCHASES
I. OVERVIEW.
This Product Addendum (“PA”) is entered into by and between DrFirst.com, Inc. (“DrFirst”) and the entity identified on the DrFirst webstore, including its affiliates and subsidiaries (referred to, collectively, as “Company”) only as applicable according to the Sales Agreement. This PA is incorporated into a certain Master Services Agreement (“MSA”) entered into by the undersigned parties. In the event of a conflict between this PA and the MSA, the terms of this PA shall govern. Unless otherwise defined herein, capitalized terms used in this PA shall have the meanings used in the MSA.
II. EPCS GOLD LICENSE. Subject to the terms of this PA, the MSA, and applicable law, DrFirst grants to Company the number of licenses shown on the accompanying Pricing Addendum to access DrFirst’s EPCS Gold Application (“EPCS Gold”). EPCS Gold is for use only by Authorized End Users who are validly licensed and have been properly registered with the Drug Enforcement Administration (DEA) or applicable state agencies (as required by applicable law) (“Authorized EPCS End Users”). The Application allows Authorized EPCS End Users to submit orders for scheduled drugs through DrFirst’s electronic prescribing application (“Rcopia”), to a pharmacy that accepts electronic prescriptions for controlled substances.
III. COMPANY OBLIGATIONS. Company, for itself and its Authorized EPCS End Users, shall be responsible for obtaining any necessary state or federal approvals for prescribing or dispensing controlled substances. DrFirst expressly disclaims any liability for any damages or costs occurring as a result of Company’s failure to obtain and/or maintain any necessary approvals or certifications required by the relevant provisions of the DEA Regulations applicable to Company’s status as an individual practitioner, institutional practitioner, or pharmacy (as applicable). Company agrees to remain, and to cause all of its Authorized EPCS End Users to remain, bound by any and all obligations and restrictions set forth in any Business Associate Agreement (“BAA”) and Terms of Use (“TOU”) available at https://www.drfirst.com/epcs-pdmp-terms-of-use/.
IV. DrFirst Obligations.
- DrFirst shall during the term of this PA comply with all applicable laws, rules, and regulations regarding the electronic prescribing of controlled substances and shall maintain any third-party audits or certifications as necessary to provide the Services. At Company’s request, DrFirst shall provide any copies of such third-party audits or certifications for the software provided.
- DrFirst shall not be responsible for obtaining, on behalf of Company, any federal or state approvals to use or dispense controlled substances. DrFirst shall at no time be responsible for Company’s failure to maintain or procure any such required approvals.
- DrFirst represents and warrants that the EPCS Gold platform is and shall be in compliance with the relevant provisions of the Drug Enforcement Agency’s Electronic Prescriptions of Controlled Substances Final Rule as codified in 21 CFR Parts 1300, 1304, 1306, and 1311 (the “DEA Regulations”).
- DrFirst shall provide Web based training tools and Tier 2 support for the EPCS Gold Platform.
V. IDP Management. An Authorized EPCS End User must undergo identity proofing satisfactory to DrFirst. If Company has its own credentialing process that meets Level of Assurance (“LOA”) requirements and does not require DrFirst involvement, it may upload its Authorized EPCS End Users through, InfinID, DrFirst’s user and credentialing management application for no additional charge. In such cases, Company will manage its own credentialing process. Otherwise, DrFirst can process Company’s credentialing through Experian for an additional fee. In the event a token is lost, stolen or damaged and a secondary back-up token (hard or soft) is not registered to the Authorized EPCS End User’s EPCS account, the Authorized EPCS End User must undergo the identity-proofing process again and must pay a token management replacement fee regardless of whether or not the replacement token was issued by DrFirst.
VI. Token Warranty. A complimentary token shall be provided by DrFirst for each license purchased. A free replacement token shall be furnished for any reason within the first three months of issuance. No warranties exist for the token after 3 months of issuance. Any additional tokens requested after 3 months of issuance shall be charged at a rate of $25 per token.
VII. Pricing and Payment. Under the terms of this PA and underlying Agreement, Company shall pay DrFirst the Fees for the EPCS application in accordance with selection on the DrFirst webstore.
DrFirst will invoice Company on a yearly basis and Company agrees to remit full payment of each invoice no later than thirty (30) days from the date of the invoice. Company agrees to pay interest at the rate of 1.5% per month, or the highest legal rate, whichever is less, on all overdue amounts.
VIII. Term and Termination. Subject to the termination provisions of the MSA, the term of this Product Addendum begins upon execution of this PA and shall continue for an initial term of twelve (12) months (“Initial Term”). In absence of termination, the License shall automatically renew for successive one-year terms unless either party provides notice, at least sixty (60) days prior to the end of the then current term or renewal term, of its intention not to renew.
IN WITNESS WHEREOF, the Parties hereto have duly executed this Agreement to be effective as of the day and year set forth below.