ONLINE TERMS AND CONDITIONS

USE OF THE SERVICES ORDERED FROM ICONIC DATA, INC. (“ICONIC DATA”) IS PROVIDED ONLY AS DESCRIBED IN THESE TERMS AND IN THE ORDER FORM (COLLECTIVELY REFERRED TO AS “THE AGREEMENT”).  PLEASE READ THE FOLLOWING CAREFULLY AND INDICATE YOUR ACCEPTANCE OF THIS AGREEMENT BY CLICKING THE ACCEPTANCE BOX BELOW.  By reviewing the Agreement and accepting it by clicking on the “I Accept” button below, you, for yourself and the organization for whom you are employed, if applicable, as customer (hereinafter “Customer”) accept the terms and conditions set forth herein and represent that you have the authority to enter into this Agreement on Customer’s behalf.

  1. DEFINITIONS.  All capitalized terms shall have the meaning set forth on the applicable Order, Exhibit A or as otherwise defined in the body of these Terms.

  1. SERVICE.
  1. Use.  Subject to Customer’s compliance with this Agreement, Iconic Data grants to Customer a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Service and Documentation for Customer’s internal business purposes.  
  2. Description of Service.  Subject to Customer’s compliance with this Agreement, Iconic Data shall, during the Term, provide the Service and make available the Documentation to the Customer. Iconic Data shall use commercially reasonable efforts to make the Service except for maintenance.  Iconic Data will, as part of the Service and at no additional cost to Customer, provide Customer with Iconic Data’s standard customer support services during Iconic Data’s normal business hours in accordance with Iconic Data's Support Services Policy in effect at the time that the Service is provided. Iconic Data may amend the Support Services Policy in its sole and absolute discretion from time to time. All Standard Upgrades will be provided to Customer at no additional charge when generally available.  Enhancements may be made available for an additional fee.
  3. Authorized Users.  Customer may permit the number of Authorized Users set forth on the Order to use the Service provided, however, that Customer is responsible for the following:
  1. Creating a unique User ID for each Authorized User and providing same to Iconic Data;
  2. Verifying that each Authorized User has the authority to access and use the Service and has the legal right to collect, use and disseminate the information provided by such Authorized User in connection with the Service;
  3. Training all Authorized Users in the requirements of this Agreement and the Policies relating to their access and use of the Service, and ensure that they comply with such requirements;
  4. Taking appropriate disciplinary action against any Authorized User who violates the terms of the Agreement or the Policies; and;
  5. Immediately notifying Iconic Data of the termination of employment or relationship of any Authorized User, or of Customer’s withdrawal of authorization for any such person to access the Service.
  1. Limitations.  Except as set forth herein, Customer shall make no other use of the Service, or use the Service for the benefit of any other person or entity, or permit any third party to make such use, and Customer shall have no other rights or licenses with respect to the Service.  Except as expressly provided herein, Customer shall not and shall not allow third parties to reproduce, copy, market, sell, sublicense, distribute, lease, transfer, translate, modify, adapt, disassemble, decompile or reverse engineer the Service or any firm ware, circuit board, software or Documentation or use any of the foregoing on a service bureau or application service basis. In addition, Customer agrees that: (i) will not reproduce, publish, or distribute content in connection with the Service that infringes any third party's trademark, copyright, patent, trade secret, publicity, privacy, or other personal or proprietary right; (ii) it will comply with all applicable laws, including laws relating to maintenance of privacy, security, and confidentiality of patient and other health information and the prohibition on the use of telecommunications facilities to transmit illegal, obscene, threatening, libelous, harassing, or offensive messages, or otherwise unlawful material; and (iii) it will not:  (a) abuse or misuse the Service, including gaining or attempting to gain unauthorized access to the Service, or altering or destroying information in the Service except in accordance with accepted practices; (b) use the Service in a manner that interferes with Iconic Data’s other users use of the Service; (c) use the Service in any manner that violates the Policies or this Agreement; or (d) or use any ad blocking mechanism, device or tool to prevent the placement of advertisements in the Service, if applicable.  Upon reasonable prior notice, Iconic Data shall have the right to audit Customer’s use of the Service to ensure Customer’s compliance with the terms and conditions herein.

  1. TERM AND TERMINATION. This Agreement shall begin on the Effective Date and remain in effect for the Pilot Term.  Unless Customer notifies Iconic Data at least (10) days prior to the expiration of the Pilot Term of its intent to terminate, the Agreement shall automatically renew for the Initial Term.  Thereafter the Agreement shall automatically renew for additional consecutive one-year terms unless either party notifies the other party of its intent to terminate the Agreement at least thirty (30) days prior to the end of the then current term (each renewal hereinafter referred to as a “Renewal Term”). In the event either party fails to remedy within 30 days after written notice of its failure to perform any material obligation of such party pursuant to this Agreement, the other party may terminate this Agreement. Except as otherwise expressly provided herein, upon any termination of this Agreement, all rights, licenses and obligations of the parties shall immediately cease.  Termination will not relieve or release either party from making payments that are owed or owing under the terms of this Agreement. Sections 4, 6, 7, 8 and 10 -12 shall survive the termination of this Agreement in accordance with their terms.

  1. FEES AND PAYMENTS.  Customer agrees to pay the fees as set forth on the Order.  Except as otherwise provided on the Order, the Pilot Term shall be provided at no charge.  Invoices for the Initial Term and any Renewal Term will be issued on an annual basis prior to the commencement of the applicable Term.  Invoices are due and payable within thirty (30) days of date of invoice. A one and a half percent (1.5%) monthly service charge or the highest amount permissible by law if less is payable on all overdue balances that are outstanding more than thirty (30) days after the date of the invoice.  Iconic Data shall be entitled to any costs of collecting any amount past due hereunder, including reasonable attorneys’ fees.  Iconic Data reserves the right to increase fees up to five percent (5%) per each Renewal Term for the Service.  All fees are exclusive of, and Customer is responsible for, applicable federal, state, or local sales, use, excise or other applicable taxes other than taxes on the net income of Iconic Data.  Customer shall pay or reimburse Iconic Data for any such taxes and Iconic Data may add any such taxes to invoices submitted to Customer by Iconic Data.  Customer also agrees to pay for additional services that are not included in Iconic Data’s standard Service at the then current rates for such services plus actual, reasonable, out-of-pocket expenses incurred in performing such additional services.  Failure to pay fees within ten (10) days of due date may result in termination or suspension of access to the Service without notice, and a reconnection fee may be charged to re-establish connection after termination or suspension due to late payment.

  1. CUSTOMER OBLIGATIONS.  
  1. Customer shall be responsible for any communication link, internet access and any hardware and software necessary for Customer or its Authorized Users to use the Service and Customer shall be responsible for maintaining compatibility with the Service in order to continue its use.
  2.  Customer will implement and maintain appropriate administrative, physical and technical safeguards to protect information within the Service from unauthorized access, use or alteration.  Such safeguards shall comply with federal, state, and local requirements, including the Privacy Rule and the Security Rule.  Customer will maintain appropriate security with regard to all personnel, systems, and administrative processes used by Customer or an Authorized User to transmit, store and process electronic health information through the use of the Service.  Customer will immediately notify Iconic Data of any breach or suspected breach of the security of the Service of which it becomes aware, or any unauthorized use or disclosure of information within or obtained from the Service, and Customer will take such action to mitigate the breach or suspected breach as Iconic Data may direct, and will cooperate with Iconic Data in investigating and mitigating the breach.
  3. Iconic Data authorizes Customer and its Authorized Users to use the User IDs created by Customer or assigned to Customer by Iconic Data.  Customer acquires no ownership rights in any User ID, and User IDs may be revoked or changed at any time in Iconic Data’s sole discretion.  Customer will adopt and maintain reasonable, appropriate security precautions for User IDs to prevent disclosure to or use by unauthorized persons.  Each Authorized User shall have and use a User ID.  Customer will use best efforts to ensure that no Authorized User uses a User ID assigned to another person.
  4. Except as required by law, Customer will not permit any third party (other than an Authorized User) to have access to or use the Service without Iconic Data’s prior written agreement.  Customer will promptly notify Iconic Data of any order or demand for compulsory disclosure of health information if the disclosure requires access to or use of the Service. Customer will cooperate fully with Iconic Data in connection with any such demand.
  5. Customer shall (a) as required by applicable law, provide notice to Customer’s patients in Customer’s privacy policy and as otherwise required by HIPAA and obtain all necessary consents if required, for collection of such patients’ information and use thereof in connection with the Service; (b) comply with Iconic Data’s Policies; (c) be responsible for Authorized Users that use the Service provided hereunder; (d) use the Service in compliance with applicable law; and (e) not undertake or permit any unlawful use of the Service, or take any action that would render the operation or use of the Service by Iconic Data or any other user unlawful.  Iconic Data offers no assurance that use of the Service under the terms of this Agreement will not violate any law or regulation applicable to Customer.
  6. Customer will cooperate with Iconic Data in the administration of the Service, including providing reasonable assistance in evaluating the Service and collecting and reporting data requested by Iconic Data for purposes of administering the Service.

  1. INFORMATION AND BUSINESS ASSOCIATE PROVISIONS.
  1. Both parties agree to comply with the Business Associate Agreement attached hereto as Exhibit B.
  2. Customer authorizes Iconic Data as its business associate, to use and disclose Health Information as follows:
  1. Iconic Data may permit access to Customer Health Information to Customer and its Authorized Users;
  2. Iconic Data may De-Identify Customer Health Information and Personal Information, and use and disclose De-Identified Information as provided in this Agreement and in accordance with applicable law;
  3. Iconic Data may create limited data sets from Customer Health Information, and disclose them for any purpose for which Customer may disclose a limited data set; and Customer hereby authorizes Iconic Data to enter into data use agreements on Customer’s behalf for the use of limited data sets, in accordance with applicable law and regulation;
  4. Iconic Data may aggregate Customer Health Information with that of other users, and share aggregated de-identified information among users;
  5. Iconic Data may use Customer Health Information for the proper management and administration of the Service and its business, and to carry out its legal responsibilities. Iconic Data may also disclose Customer Health Information for such purposes if the disclosure is required by law, or Iconic Data obtain reasonable assurances from the recipient that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and the recipient notifies Iconic Data of any instances of which it is aware in which the confidentiality of the information has been breached.  Without limiting the foregoing, Iconic Data may permit access to the Service by its contracted system developers under appropriate confidentiality agreements.
  6. Iconic Data may use or disclose Customer Health Information for other purposes, as from time to time described in the Policies; provided that Iconic Data will not make or permit any such use or disclosure that would violate applicable law or regulation if made by Customer or Customer’s business associate.  
  1.  Customer acknowledges that in granting access to the Service for the purposes set forth herein, Iconic Data will rely on the assurances of Customer and its Authorized Users as to (i) their identity and credentials, (ii) the purposes for which they are accessing the Service, and (iii) the nature and extent of the information to which they will have access. Customer agrees that Iconic Data will not be responsible for any unlawful access to or use of Customer Health Information by any Authorized User resulting from the Authorized User's misrepresentation to Iconic Data, or breach of the terms herein.
  2.  Iconic Data applies the standards of the Privacy Rule in permitting access to the Service.  Customer acknowledges that other federal and state laws impose additional restrictions on the use and disclosure of certain types of health information, or health information pertaining to certain classes of individuals.
  3.  Customer agrees that it is solely responsible for ensuring that Customer Health Information may properly be disclosed for the purposes set forth above, subject only to the restrictions of the Privacy Rule.  This responsibility includes, but is not limited to, Customer:
  1. not making available through the Service any information subject to any restriction on use or disclosure (whether arising from its agreement with the individual or under law) other than the general restrictions contained in the Privacy Rule;
  2. obtaining any necessary consents, authorizations or releases from individuals required for making their health information available through the Service for the purpose set forth herein;
  3. including such statements (if any) in Customer’s notice of privacy practices as may be required in connection with its use of the Service; and
  4. not placing in the Service any information that Customer knows or has reason to believe is false or materially inaccurate.

  1. INTELLECTUAL PROPERTY RIGHTS/OWNERSHIP.
  1. Service.  Iconic Data shall retain all rights to its Services and Documentation (including without limitation any materials or code provided as part of the Service), trademarks, service marks, technologies, information, trade secrets, know how, intellectual property, information and data generated by Iconic Data or Iconic Data’s systems, whether pre-existing, or created after the Effective Date, including any modifications, enhancements and derivatives thereof (including, without limitation, metrics, data and information generated by such Services and software). No implied licenses are granted herein.
  2. Information.  
  1. Individually Identifiable Health Information.  Except as provided in Section 7(b)(ii) below, Customer retains all rights with regard to Protected Health Information.
  2. De-Identified Information.   In consideration of provision of the Service, Customer hereby transfers and assigns to Iconic Data all right, title and interest in and to all De-Identified Information that Iconic Data makes from Customer Health Information or Personal Information pursuant to Section 6(b)(ii).  Customer agrees that Iconic Data may use, disclose, market, license and sell De-Identified Information for any purpose without restriction, and that Customer has no interest in such information, or in the proceeds of any sale, license, or other commercialization thereof.  Customer acknowledges that the rights conferred by this section are part of the consideration for the provision of the Service.
  3. Other Works and Information.  Customer agrees that any information, material or work product Customer provides for use in connection with the Service, other than Protected Health Information and Personal Information which has not been De-Identified, is the exclusive property of Iconic Data, and by submitting such content or material, Customer assigns to Iconic Data, all intellectual property rights in such content or material. Customer agrees that Iconic Data may use, disclose, market, license and sell such information and works, including derivative products, without restriction.  

  1. CONFIDENTIAL INFORMATION. Iconic Data and Customer understand and agree that in connection with the negotiation and performance of this Agreement, each party may have had or have access to or may have been or be exposed to, directly or indirectly, Confidential Information of the other party.  Each party (on its behalf and on behalf of its subcontractors, employees or representatives, or agents of any kind) agrees to hold and treat all Confidential Information of the other party in confidence and will protect the Confidential Information with the same degree of care as each party uses to protect its own Confidential Information of like nature. The Confidential Information will not, without the prior written consent of the other party, be disclosed to any third party except that the receiving party may disclose the Confidential Information or portions thereof to (a) its directors, officers, employees, agents and representatives on a need-to-know basis or (b) as may be required by law, applicable regulation or judicial process, provided, however, that if the receiving party is required to disclose such Confidential Information under this Section 8, the receiving party shall promptly notify the disclosing party of such pending disclosure and consult with the disclosing party prior to such disclosure as to the advisability of seeking a protective order or other means of preserving the confidentiality of the Confidential Information. Notwithstanding anything contained herein to the contrary, Confidential Information does not include any information that (i) at the time of the disclosure or thereafter is lawfully obtained from publically available sources generally known by the public (other than as a result of a disclosure by the receiving party or its representatives); (ii) is available to the receiving party on a non-confidential basis from a source that is not and was not bound by a confidentiality agreement with respect to the Confidential Information; or (iii) has been independently acquired or developed by the receiving party without violating its obligations under this Agreement or under any federal or state law.

  1. WARRANTIES.  
  1. Each party represents and warrants to the other party that (a) it has the right to enter into this Agreement and perform its obligations hereunder in the manner contemplated by this Agreement, and (b) this Agreement does not and shall not conflict with any other agreement entered into by it.
  2. EXCEPT FOR THE FOREGOING WARRANTIES, AND TO THE FULLEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, ICONIC DATA DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, CONCERNING OR RELATED TO THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  ICONIC DATA DOES NOT WARRANT, GUARANTEE OR MAKE ANY REPRESENTATIONS REGARDING THE USE, THE RESULTS OF THE USE OR THE BENEFITS, OF THE SERVICES, OR ANY INFORMATION CONTAINED THEREIN OR OTHERWISE PROVIDED PURSUANT TO THIS AGREEMENT.  NO ICONIC DATA PERSONNEL IS AUTHORIZED TO MAKE ANY EXPANSION, MODIFICATION OR ADDITION TO THIS LIMITATION OR THE EXCLUSION OF WARRANTIES IN THIS AGREEMENT. In the event of any breach of the warranties contained in this Agreement, the sole and exclusive liability of the breaching party shall be to use commercially reasonable efforts to promptly correct such breach.

  1. LIMITATION OF LIABILITY.  IN NO EVENT SHALL ICONIC DATA BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOST PROFITS, LOSS OF USE, LOSS OF BUSINESS, LOSS OF REVENUE, OR LOSS OF DATA, ARISING OUT OF OR IN RELATION TO THIS AGREEMENT OR THE SERVICES. IN NO EVENT SHALL ICONIC DATA BE LIABLE FOR ANY CAUSE OR CLAIM WHATSOEVER ARISING OUT OF OR RELATED TO THIS AGREEMENT IN EXCESS OF THE AMOUNTS ICONIC DATA HAS BEEN PAID HEREUNDER DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE ON WHICH THE CAUSE OF ACTION AROSE.  THE FOREGOING LIMITATIONS AND EXCLUSIONS WILL APPLY REGARDLESS OF WHETHER THE CAUSE OF ACTION ARISES IN CONTRACT, IN TORT OR OTHERWISE AND NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY REMEDY OR NEGLIGENCE.  APPLICABLE LAW MAY NOT ALLOW THE LIMITATIONS OF LIABILITY AS SET FORTH ABOVE, SO THESE LIMITATIONS MAY NOT APPLY TO YOU.  

  1. INDEMNITY.
  1. By Customer.  Subject to provisions of Section 11(c) below, Customer agrees to indemnify, defend, and hold harmless Iconic Data, and its affiliates, officers, directors, employees and agents, from and against any claim, cost or liability, including reasonable attorneys' fees, arising out of:  (a) the use of the Service by Customer or any of its Authorized Users; (b) any breach by Customer or its Authorized Users of any representations, warranties or agreements contained in this Agreement; (c) the actions of any person gaining access to the Service under a User ID assigned to Customer or its Authorized User; and (d) negligence or willful misconduct of Customer or an Authorized User.  
  2. By Iconic Data.  Subject to the provisions of Section 11(c) below, if a third party claims against Customer that the Service infringes such third party’s U.S. patent issued as of the Effective Date, U.S. copyright or U.S. trademark (a “Claim”), Iconic Data will defend the Claim and pay all costs of defense of such claim, and will indemnify and hold harmless Customer from and against all settlement amounts agreed upon by Iconic Data or damages finally awarded by a court of competent jurisdiction to such third party. Iconic Data’s obligations shall not apply to a claim that is based on:  (a) Customer’s modification of the Service; (b) Customer’s operation or use of the Services in combination with other Customer or third party technology;(c) Customer’s services, products or data; (d) anything supplied by Customer for use in conjunction with the Service; or (e) an act or omission of the Customer or a third party. The indemnification set forth in this Section 11 is Iconic Data’s entire liability, and Customer’s sole and exclusive remedy, for third party claims.
  3. Procedure.  The indemnification obligations hereunder are conditioned upon the party seeking indemnification (a) giving the indemnifying party prompt written notice of any claim, action, suit or proceeding; (b) granting sole control of the defense and settlement to the indemnifying party; and (c) reasonably cooperating with indemnifying party at the indemnifying party’s expense.  In the event that Iconic Data determines a risk of an infringement, at Iconic Data’s option and expense, Iconic Data may (x) replace or modify the Services with substantially equivalent services or replacement services so that the Services are no longer infringing, (y) obtain for Customer the right to continue using the Services or (z) cancel the applicable Service and reimburse Customer for any prepaid but unused Service as of the date of termination. The indemnified party may participate in the defense of the claim at its own expense and in a manner not disruptive to indemnifying party’s conduct of the defense.

  1. INSURANCE.  Customer will obtain and maintain such policies of general liability, errors and omissions, and professional liability insurance with reputable insurance companies as is usually carried by persons engaged in Customer’s business covering the Term of this Agreement.

  1. TERMINATION, SUSPENSION OR AMENDMENT OF SERVICE.
  1. Notwithstanding anything to the contrary in this Agreement, Iconic Data has the right, on notice to Customer, immediately to terminate, suspend, or amend this Agreement, without liability:  (a) to comply with any order issued or proposed to be issued by any governmental agency; (b) to comply with any provision of law, any standard of participation in any reimbursement program, or any accreditation standard; (c) if performance of any term of this Agreement by either party would cause it to be in violation of law; (d) if Customer is named as a defendant in a criminal proceeding for a violation of federal or state law; (e) if a finding or stipulation is made or entered into that Customer has violated any standard or requirement of federal or state law relating to the privacy or security of health information is made in any administrative or civil proceeding; (f) Customer is excluded from participation in a federal or state health care program or (g) Customer ceases to be qualified to provide services as a health care professional.
  2. Iconic Data may change the Service and the terms under which they are provided to Customer (including terms set forth in this Agreement) by providing Customer notice of such change, and such notice may be given by electronic posting of the then current terms upon request. Customer’s continued use after such posting constitutes acceptance of the change, which shall thereupon become part of this Agreement.

  1. Force Majeure.  The parties shall not be liable to each other or any other person for any delay or failure in the performance of this Agreement or for loss or damage of any nature whatsoever suffered by such party due to disruption or unavailability of communication facilities, utility or Internet service provider failure, acts of war, acts of terrorism, acts of vandalism, lightning, fire, strike, unavailability of energy sources or any other causes beyond the party’s reasonable control.

  1. Notices.  All notices, demands or consents required or permitted under this Agreement shall be in writing, addressed to the party for whom intended at the address set forth on the Order or at such address as may be furnished by such party in writing. Notices shall be deemed given when delivered personally, one business day after day of facsimile transmission evidenced by facsimile confirmation, the first business day after sent by overnight mail courier or the fifth business day after mailing by United States Mail, first class mail, certified or registered.

  1. Miscellaneous. This Agreement, together with all Exhibits hereto, contains the entire agreement of the parties, and supersedes any and all previous agreements addressed herein or with respect to the subject matter hereof, whether oral or written.  Iconic Data hereby rejects any terms or conditions (“Form Terms”) appearing on any purchase order or other supplements that are in addition to, or different from, the terms and conditions of this Agreement, and the parties agree that all such Form Terms shall be void and of no force or effect. This Agreement shall be binding and shall inure to the benefit of the parties hereto and their respective successors and permitted assigns.  This Agreement may not be assigned by Customer without Iconic Data’s prior written consent, such consent not to be unreasonably withheld. Iconic Data may assign this Agreement to any successor to its business. The parties are independent contractors and neither this Agreement nor the performance of Service shall create an association, partnership, joint venture, or relationship of principal and agent, master and servant, or employer and employee, between the parties; and neither party will have the right, power or authority (whether expressed or implied) to enter into or assume any duty or obligation on behalf of the other party.  Nothing express or implied in this Agreement is intended to confer, nor shall confer, upon any person or entity other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.  If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force and the unenforceable provision shall be interpreted so as to render it enforceable while approximating the parties’ intent as closely as possible. This Agreement shall be governed in all respects, including validity, interpretation and effect, by the laws of the State of Georgia and exclusive venue shall be in the courts of the State of Georgia.  This Agreement may be executed in two counterparts, each of which shall be deemed to be an original, and both of which together shall constitute one contract. The headings in this Agreement are for purposes of reference only and shall not limit or otherwise affect the meaning hereof.


EXHIBIT A

DEFINITIONS

  1. Authorized User" means an employee, agent or independent contractor who is individually authorized by Customer to have access to the Service.
  2. Confidential Information” means private or confidential information of the other party, including, but not limited to, trade secrets, computer programs and code, scripts, algorithms, features and modes of operation, inventions (whether or not patentable), techniques, processes, methodologies, schematics, testing procedures, software design and architecture, design and function specifications, analysis and performance information, documentation, details of its products and services, as well as names and expertise of, and information relating to, vendors, employees, consultants, customers and prospects, know-how, ideas, and technical, business, financial or marketing information and strategies and any other information that the receiving party reasonably should know is confidential.
  3. Customer Health Information” means Protected Health Information that Customer enters into the Service.
  4. Documentation” means the user manual provided by Iconic Data in connection with the Service, if any.
  5. "De-identified Health Information" means health information that has been de-identified in accordance with the provisions of the Privacy Rule, and "De-Identify," with respect to health information, means make it into De Identified Health Information.
  6. "De-Identified Information" means De-Identified Health Information and De-Identified Personal Information.
  7. "De-Identified Personal Information" means personal information from which a user's name and other unique identifiers have been removed, and from which the user cannot reasonably be identified; and "De-Identify," with respect to Personal Information, means to make it into De-Identified Personal Information.
  8. Enhancement” means non-standard upgrades and optional product enhancements, which may include but not be limited to separate Iconic Data products, integration work, customization and non-standard features.
  9. "HIPAA" means the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, and any amendments to any of the foregoing, including but not limited to the Privacy Rule and the Security Rule.
  10. Initial Term” shall have the meaning set forth on the Order.
  11. "Personal Information" means information that identifies Customer or an Authorized User individually as a user of the Service, and all information concerning such use of the Service that is not Protected Health Information.
  12. Pilot Term” shall have the meaning set forth on the Order.
  13. "Policies" means Iconic Data’s rules, regulations, policies and procedures for access to and use of the Service, as changed from time to time and as posted electronically on Iconic Data’s Internet web site.
  14. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
  15. "Protected Health Information" has the meaning given it in the Privacy Rule, and includes all individually identifiable health information concerning Customer’s patients that Customer provides to the Service.
  16. Renewal Term” shall have the meaning set forth in Section 3 of Agreement.
  17. "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 160 and part 164, subparts A and C.
  18. Service” means the subscription service provided by Iconic Data through an electronic network utilizing Iconic Data’s proprietary technology.
  19. Standard Upgrades” means all patches, fixes, standard new releases and new versions of the Service made generally available by Iconic Data to its customers generally at no additional charge during the Term.
  20. Term” shall refer to the Pilot Term, Initial Term or any Renewal Term, as applicable.  
  21. "User ID" means a unique user identification assigned to or created by an individual Authorized User, which may include but is not limited to, a unique email address or password, as reasonably determined by Customer from time to time.


EXHIBIT B

BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is made by and between the ("Covered Entity") named in one or more Sign-up Forms and Iconic Data Inc. ("Business Associate"). It is effective as of the date of execution of the underlying Contract including Terms and Conditions.

I. BACKGROUND

Covered Entity and Business Associate are party to that certain Terms and Conditions  (the "Underlying Agreement") pursuant to which Business Associate may receive Protected Health Information in its performance of the services it provides to Covered Entity.  Both Covered Entity and Business Associate are committed to complying with the Privacy Standards and the Security Standards under the Health Insurance Portability and Accountability Act of 1996 and its implementing Administrative Simplification regulations ("HIPAA"), including as amended by the provisions of the Health Information Technology for Economic and Clinical Health Act and its implementing regulations ("HITECH").

This Agreement sets forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, Business Associate from or on behalf of Covered Entity, will be handled by Business Associate and with third parties during the term of the Underlying Agreement and after its termination or expiration. NOW THEREFORE, the Parties hereto, intending to be legally bound, agree to the following provisions. Except as expressly set forth herein, all terms and conditions of the Underlying Agreement are hereby ratified and shall remain in full force and effect.

II. DEFINITIONS

For purposes of this Agreement, the following terms shall have the meanings set forth below:

  1. Breach  shall mean the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI.
  2. Business Associate  shall be interpreted in a manner consistent with the definition of "business associate" under HIPAA.
  3. Covered Entity  shall be interpreted in a manner consistent with the definition of "covered entity" under HIPAA.
  4. Electronic Protected Health Information  shall have meaning set forth in 45 CFR 160.103.
  5. HIPAA Regulations  shall mean the federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information described at 45 CFR part 160 and part 164, subparts A,C and E, as amended from time to time.
  6. Individual  shall have the meaning set forth in 45 C.F.R. 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
  7. Protected Health Information or PHI  shall have the meaning set forth in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
  8. Required by Law  shall have the meaning set forth in 45 CFR 164.103.
  9. Secretary  shall mean the Secretary of the Department of Health and Human Services or his or her designee.
  10. Security Incident  shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
  11. Unsecured PHI  shall mean PHI that is not secured through the use of technology or methods approved by the Secretary of Health and Human Services to render the PHI unusable, unreadable or indecipherable to unauthorized individuals.

Any capitalized term without definition shall have the same meaning ascribed to it in HIPAA Regulations and HITECH statutory and regulatory provisions.

III. HITECH COMPLIANCE

Business Associate shall comply with all applicable requirements of Title XII, Subtitle D of HITECH, 42 U.S.C. Sections 17921-17954 and all applicable HITECH implementing regulations issued by the Department of Health and Human Services as of the date by which Business Associate must comply with such statutory and regulatory requirements.

IV. PERMITTED USES AND DISCLOSURES OF PHI
  1. Services . Business Associate shall retain, use and disclose PHI only to perform functions, activities, or services for, or on behalf of, Covered Entity as contemplated by this Agreement and the Underlying Agreement, provided that such retention, use or disclosure would not violate the HIPAA Regulations if done by the Covered Entity.
  2. Business Activities of the Business Associate . In addition to those provisions dealing with Information and Business Associate Provisions as detailed in the Terms of Service entered into by the Covered Entity and Iconic Data Inc., and unless otherwise limited herein, Business Associate may:
  1. Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
  2. Disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required by Law, or that Business Associate obtains reasonable assurances from the person to whom the information is disclosed that such PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which is was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
  3. With express written permission by the Covered Entity, use PHI to provide data aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).

V. RESPONSIBILITIES WITH RESPECT TO PHI
  1. Responsibilities of the Business Associate. With regard to its use or disclosure of PHI, the Business Associate hereby agrees as follows:
  1. to use or disclose PHI only as permitted or required by the Underlying Agreement, this Agreement, or as Required by Law;
  2. to implement administrative, physical and technical safeguards that (a) reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the HIPAA Regulations, and (b) prevent the use or disclosure of PHI other than as contemplated by the Underlying Agreement and this Agreement;
  3. to report to the Covered Entity, within five (5) days after discovery by the Business Associate, (a) any Security Incident and (b) any other use or disclosure of PHI that is not permitted or required by the Underlying Agreement, including a Breach of Unsecured PHI. Upon notification by Business Associate (i) Covered Entity shall bear sole responsibility for determining the need for and directing the implementation of any notification concerning any Breach of Unsecured PHI, (ii) Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation and/or assessment necessary to determine and document whether a Breach of Unsecured PHI has occurred and shall provide any and all related documentation to Covered Entity, and (iii) Business Associate shall provide Covered Entity with sufficient and detailed information in order that individual notification may be made if required, including the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed.
  4. to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of the Underlying Agreement and this Agreement;
  5. to require that all of its subcontractors and agents that receive, use or have access to PHI hereunder agree in writing to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to the Business Associate pursuant to this Agreement with respect to such information;
  6. to make available to the Covered Entity or the Secretary all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI, in a time and manner designated by the Covered Entity or Secretary, for purposes of determining the Covered Entity's compliance with the HIPAA Regulations, subject to attorney-client and other applicable legal privileges;
  7. to document such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528;
  8. to provide to the Covered Entity, in the time and manner designated by the Covered Entity, the information collected in accordance with the immediately preceding paragraph, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528; and
  9. to disclose to its affiliates, subsidiaries, agents, subcontractors and other third parties, and to request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
  1. Responsibilities of the Covered Entity. With regard to the use or disclosure of PHI by the Business Associate, the Covered Entity agrees as follows:
  1. to inform the Business Associate of any changes in the form of notice of privacy practices that the Covered Entity provides to Individuals pursuant to 45 CFR §164.520;
  2. to inform the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclosure PHI to the extent that such changes affect the Business Associate's use or disclosure of PHI; and
  3. to notify Business Associate, in writing and in a timely manner, of any arrangements made by the Covered Entity that may affect the Business Associate's use or disclosure of PHI, including, but not limited to, restrictions on use or disclosure of PHI agreed to by the Covered Entity in accordance with 45 CFR § 164.522.

VI. ADDITIONAL RESPONSIBILITIES WITH RESPECT TO DESIGNATED RECORD SETS

In the event that the Covered Entity notifies the Business Associate that any PHI created, held or maintained by the Business Associate or to which the Business Associate has access, constitutes a Designated Record Set, the Business Associate hereby agrees to:

  1. at the request of, and in the time and manner designated by the Covered Entity, to provide access to PHI maintained by the Business Associate to the Covered Entity or, as directed by the Covered Entity, to an Individual in order to meet the requirements of 45 CFR § 164.524; and
  2. at the request of, and in the time and manner designated by the Covered Entity, to make any amendments to PHI that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526.

VII. TERM AND TERMINATION
  1. Term.  The obligations set forth in this Agreement shall become effective on the effective date of Covered Entity's execution of the Underlying Agreement and, except as provided below, shall terminate upon the termination or expiration of the Underlying Agreement.
  2. Termination by the Covered Entity.  Without limiting the termination rights of the parties as described elsewhere in the Underlying Agreement, the Covered Entity shall be entitled to immediately terminate the Underlying Agreement (and any other agreements or arrangements relating thereto) if the Covered Entity determines that the Business Associate has breached a material provision of this Agreement. Alternatively, the Covered Entity may afford the Business Associate a thirty (30)-day cure period; provided, however, that failure by Business Associate to cure the alleged breach to the Covered Entity's satisfaction within the thirty (30) day period shall be grounds for immediate termination of the Underlying Agreement. If neither termination of the Underlying Agreement nor cure of the breach is feasible, the Covered Entity shall report the violation to the Secretary.
  3. Effect of Termination.
  1. Except as provided by law, by the Terms of Service entered into by the parties, which is incorporated by reference herein, or otherwise, upon termination of the Underlying Agreement, for any reason, the Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity (including without limitation destroying all backup tapes and permanently deleting all Electronic PHI). This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Except as provided herein, Business Associate shall retain no copies of the PHI.
  2. In the event that the Business Associate determines that returning or destroying any PHI (whether held by the Business Associate or its subcontractor) is not feasible, the Business Associate shall provide to the Covered Entity written notification of the conditions that make return or destruction of the PHI infeasible.  Business Associate shall (or shall require its subcontractor to) extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate (or subcontractor) maintains such PHI.

VIII. INDEMNIFICATION

Covered Entity shall indemnify and hold harmless Business Associate and its affiliates, directors, officers, employees and agents against any and all losses, liabilities, judgments, penalties, awards and costs, including, without limitations any costs associated with taking steps required under the HITECH Act in connection with a Breach of Unsecured PHI, and any other fees and expenses, arising out of or related to a breach of this Agreement by Covered Entity or Covered Entity’s agents and subcontractors.

Likewise, Business Associate shall indemnify and hold harmless Covered Entity and its affiliates, directors, officers, employees and agents against any and all losses, liabilities, judgments, penalties, awards and costs, including, without limitations any costs associated with taking steps required under the HITECH Act in connection with a Breach of Unsecured PHI, and any other fees and expenses, arising out of or related to a breach of this Agreement by Business Associate or Business Associate’s agents and subcontractors.

IX. MISCELLANEOUS
  1. Survival . The respective rights and obligations of the Business Associate and the Covered Entity under Section V above shall survive the termination of this Agreement.
  2. No Third Party Beneficiaries . Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights or remedies whatsoever.
  3. Conflict with Agreement . In the event of a conflict between the terms of this Agreement and the terms of the Underlying Agreement, the terms of this Agreement shall control.

NOW THEREFORE, this Agreement shall be effective as of the date this Agreement was signed by electronic signature by a duly authorized representative of the Covered Entity stated above.