Intructions: 

Please complete the short form below. The information entered into these form fields will be placed into the Agreement as the Company entering into the Software Agreement and Business Associate agreement with VirtuOx regarding Office Plus product.  Then review the entire agreement, including updated pricing and billing terms, and the Business Associate Agreement addendum and if you are an authorized representative of the Company, sign and date the form at the end and submit.   VirtuOx will review and countersign. 

THIS SOFTWARE SERVICES AND LICENSE AGREEMENT (the “Services
Agreement”), dated the later of the two dates on which this Services Agreement is electronically signed by User (as defined below) and accepted by VTX (as defined below) (the effective date “), is entered into between VirtuOx, Inc. (“VTX”), a Florida company, and the entity or individual who signs this Service Agreement, (“User”) (“{companyName}”) (VTX and User may be referred to individually as “Party” and collectively as “Parties”). VTX is the owner of Office Plus a web-based software that allows health care professionals to perform overnight pulse oximetry testing to produce non-IDTF certified reports. User wishes to procure from VTX the right to access and use the Office Plus Software, and VTX wishes to provide such software to User, each on the terms and conditions set forth in this Services Agreement.

NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

1. DESCRIPTION OF SERVICES.
(a) This Services Agreement establishes a contractual relationship between VTX and User pursuant to which VTX will provide User with access to the Office Plus Software. The Office Plus Software will enable User to facilitate the provision of overnight pulse oximetry testing to its Customers via the Office Plus Software.
(b) VTX may reasonably supplement, modify, substitute or otherwise alter the Office Plus Software, as well as the Services provided under this Services Agreement, from time to time, with or without notice to User, provided such alterations do not materially reduce the functionality of the Office Plus Software or the Services.

2. LICENSE. VTX grants User a non-exclusive, non-transferrable, royalty free license during the term of this Services Agreement to access and use the Office Plus Software solely in connection with User’s business and to permit the employees and agents of User who provide health care services on User’s behalf to do the same, subject to all of the conditions and restrictions set forth in the License Addendum, which is attached hereto as Attachment A and hereby incorporated herein. Any provisions of the License Addendum holding User to more stringent requirements shall prevail over less stringent provisions of this Services Agreement. Without limiting any provision of the License Addendum, User acknowledges that the Office Plus Software represents and will continue to represent the

valuable, confidential, and proprietary property of VTX and its affiliates. VTX is not by this Services Agreement conveying to User any proprietary or other rights (including any patent rights, copyrights, trade secrets, trademarks, service marks and related goodwill) in the Office Plus Software, except as expressly set forth in the License Addendum. Accordingly, User acknowledges that, except as expressly provided for in the License Addendum, neither User, nor any of its shareholders, directors, employees or agents, possesses any right, title or ownership in or to the Office Plus Software.

3. TERM AND TERMINATION
(a) The term of this Services Agreement shall commence as of the Effective Date and shall continue for one year unless otherwise terminated as provided herein. Thereafter, the Services Agreement shall be automatically extended for additional one-year terms or upon such other terms and conditions as may be agreed upon by the Parties and memorialized in a written amendment to this Services Agreement.
(b) This Services Agreement may be terminated by either Party, with or without cause and without penalty, upon the provision of ninety (90) days written notice.
(c) In the event of a material breach of this Services Agreement, this Services Agreement may be terminated by the non-breaching Party upon 30 days advance written notice to the other Party and such breach is not cured to the reasonable satisfaction of the non-breaching Party within such 30-day period, provided, however, that such time to cure shall be extended for an additional thirty (30) days or as otherwise agreed by the Parties in writing, so long as the non-breaching Party is continuously and diligently pursuing such cure.
(d) The termination of this Services Agreement shall not release or discharge either Party from any obligation, debt or liability which shall have previously accrued and remain to be performed upon the date of termination.

4. COMPLIANCE WITH LAW. User agrees that, at all times during the term of this Services Agreement, User and each of its employees, contractors or agents who use or have access to the Office Plus Software, shall conduct its activities under this Services Agreement, including its use of the Office Plus Software, in full compliance with all applicable federal, state and local laws, regulations and other legal requirements, including but not limited to state licensure and registration, scope of practice, informed consent and record keeping requirements. VTX agrees that, at all times during the term of this Services Agreement, VTX and each of its employees, contractors or agents who provide the Office Plus Software and perform the Services, shall conduct its activities under this Services Agreement, in full compliance with all applicable federal, state and

local laws, regulations and other legal requirements, including but not limited to record keeping requirements. VTX agrees that when at User’s location, VTX and each of its employees, contractors or agents will comply with User’s applicable policies and procedures.

5. HIPAA COMPLIANCE. Each Party will maintain the confidentiality of all Protected Health Information, as that term is defined in 45 C.F.R. § 160.103, and will at all times comply with all applicable federal, state and local laws and regulations, including but not limited to, the applicable provisions of the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d, et seq. and 45 C.F.R. §§ 160, 162 and 164 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) in connection with the use and disclosure of protected health information, in accordance with the terms and conditions of the HIPAA Business Associate Addendum, attached hereto as Attachment B.

6. INDEPENDENCE OF PROFESSIONAL JUDGMENT. Neither Party shall exercise any control or direction over the specific methods by which any physicians practice medicine or provide medical care through the Office Plus Software. Nothing contained in this Services Agreement shall require referrals to specific health care facilities, interfere with Customers’ choice of medical treatment, or interfere with any physician’s or other health care practitioner’s independent medical judgment.

7. DISCLAIMER OF LEGAL ADVICE. VTX may from time to time provide information and resources to User including, but not limited to, sample website terms and conditions. The provision of this information or sample materials shall not be intended as the provision of legal advice or guidance. VTX encourages User to consult with local counsel for legal advice or guidance in connection with using the VTX Office Plus Software.

 

8. TRADEMARKS AND APPROVAL OF User’s MATERIALS. VTX is and shall remain the sole owner of all marks related to Office Plus., Any and all User advertising, promotional and other materials which mention Office Plus , or include any other VTX Marks, shall be subject to

VTX’s prior review and written approval, which approval shall not be unreasonably withheld.

9. CONFIDENTIAL AND PROPRIETARY INFORMATION. The Party receiving Confidential Information from the disclosing Party shall not disclose such Confidential Information, as hereinafter defined, without the disclosing Party’s express written authorization; except in the event of a dispute between the Parties, such Confidential Information will not be used in any way directly or indirectly detrimental to the disclosing Party; and each Party will keep the other Party’s Confidential Information confidential and will ensure that its employees and agents who have access to such Confidential Information comply with these nondisclosure obligations. “Confidential Information” shall include User records, VTX records, and all other confidential information of either Party (whether written or oral), including all confidential notes, studies, forms, business or management methods, marketing data, or trade secrets of such Party, except for information that is (i) available to and known by the public (other than as a result of an unpermitted disclosure directly or indirectly by the receiving Party or its agents or representatives), (ii) in the possession of the receiving Party prior to disclosure by the disclosing Party, or (iii) is developed by the receiving Party without reference to the disclosing Party’s Confidential Information. If a receiving Party is required by law to disclose any Confidential Information of the disclosing Party, whether in a legal or a regulatory proceeding or otherwise, the receiving Party ordered to disclose such Confidential Information shall, to the extent permitted under applicable law, provide the disclosing Party with prompt written notice of such request. Notwithstanding the foregoing, each Party may disclose the other Party’s Confidential Information to its legal, financial, and other consultants under an obligation of confidentiality consistent with this provision and may also disclose the disclosing Party’s Confidential Information in applicable court and/or arbitration documents and proceedings in the event of a dispute between the Parties, provided that reasonable steps are taken to protect the confidentiality of the disclosures in such court and/or arbitration documents and proceedings. The obligation to maintain the confidentiality of Confidential Information shall survive termination of this Services Agreement so long as such Confidential Information retains its confidential nature. Confidential Information does not include Protected Health Information, which is governed by the Business Associate Addendum and Section 5, herein.

10. MUTUAL INDEMNIFICATION FOR THIRD PARTY CLAIMS. Each Party to this Services Agreement shall indemnify and hold the other Party to this Services Agreement, and their affiliates, successors and assigns, and their respective managers, members officers, directors, employees, and agents, harmless from any and all claims asserted against the indemnified Party by any person who is not a party to this Services Agreement (and all related liabilities, costs and expenses of any kind whatsoever, including but not limited to attorneys’ fees and court costs), arising out of any breach by the indemnifying Party, its agents, employees, or servants of any covenant or condition of this Services Agreement or arising out of negligent or intentional acts or failures to act of the indemnifying Party, its agents, employees or servants. The obligations herein shall survive termination of this Services Agreement. If any Party has reason to believe that it has suffered or incurred (or

has a reasonable belief that it will suffer or incur) any indemnified loss subject to the indemnity hereunder, such Party shall so notify the indemnifying Party promptly in writing describing such loss or expense. With respect to any action at law, suit in equity, administrative action or arbitration or mediation proceeding that is instituted by or against a third party with respect to which any person intends to claim any liability or expense under this Section, the indemnifying Party shall have twenty (20) business days after receipt of the notice to notify the indemnified Party that it elects to participate in the conduct of any action, suit or proceeding with respect to such claim. If the indemnifying Party gives such notice, the indemnifying Party shall have the right, at its sole expense, to participate in the conduct and settlement of such action, suit or proceeding and both Parties shall cooperate with the other in connection therewith. The indemnifying Party shall not consent to the entry of any judgment or enter into any settlement with respect to an indemnified matter which requires any action other than consent from the indemnified Party without the written consent of the indemnified Party (which consent shall not be unreasonably withheld, conditioned or delayed).

11. ARBITRATION, GOVERNING LAW AND JURISDICTION FOR DISPUTE RESOLUTION. Any controversy or claim arising out of or relating to this Services Agreement, or the breach thereof, that cannot be resolved directly between the Parties, shall be settled by arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules applying the laws of the State of Florida, and judgment on the award rendered by the arbitrator(s) shall be entered in the Circuit Court of Duval County, Florida, provided however, that either party may seek equitable relief, including, without limitation, a temporary restraining order or preliminary injunction, from a court of competent jurisdiction to preserve the status quo or prevent irreparable harm. If, notwithstanding the preceding provision, a court of competent jurisdiction determines that an action or a proceeding may be brought by a Party in connection with this Services Agreement, the validity, construction and effect of the Services Agreement, and all extensions and modifications thereof, shall be construed in accordance with the laws of the State of Florida. Any disputes or claims arising out of this Services Agreement or any other matter related hereto shall be brought into the appropriate court of Duval County, Florida or in the United States District Court for the Northern District of Florida, as may be appropriate, and the Parties agree to submit to the in personam jurisdiction and venue of said courts. The prevailing Party shall be entitled to all costs, including reasonable attorneys’ fees, incurred to enforce its rights hereunder.

12. INDEPENDENT CONTRACTORS. The relationship between the Parties under this Services Agreement shall be solely that of independent contractors entering into a services agreement. No representations or assertions shall be made, or actions taken by any Party which could imply or establish any joint venture, partnership, employment or trust relationship between the Parties with respect to the subject matter of this Services Agreement. No Party shall have any authority or power whatsoever to enter into any

agreement, contract or commitment on behalf of the other Party or create any liability or obligation whatsoever on behalf of the other Party to any person or entity.

13. NO ASSIGNMENT. Except as otherwise provided herein, this Services Agreement may not be assigned, or the rights granted herein transferred or sublicensed, by either Party without the express prior written consent of the other Party, which will not be unreasonably refused. The Office Plus Software and User’s account therein cannot be assigned, transferred or used by anyone other than User or User’s designated users without VTX’s written permission. Any attempted assignment in contravention of this Section shall be of no force or effect and shall not act to relieve User or VTX of any responsibility or liability under this Services Agreement. Any attempted assignment in contravention of this Section shall not act to convey, transfer or assign any rights to any third party and no such rights shall inure to the benefit of any such third party. Notwithstanding the foregoing, either Party may, without the other Party’s consent, assign this Services Agreement in whole or in part, to an affiliate under common control or to a successor entity that acquires all or substantially all of such Party’s assets. This Services Agreement shall inure to the benefit of, and be binding upon, the Parties hereto and their respective successors and assigns allowed under this Services Agreement.

14. REPRESENTATIONS AND WARRANTIES.
(a) VTX represents and warrants that VTX has not made, and does not intend to make, any assignments, grants, licenses, encumbrances, obligations or agreements, either written, oral or implied, inconsistent with this Services Agreement.
(b) VTX represents and warrants the VTX has no other agreement of any nature with any person or entity which would prevent VTX from entering into this Services Agreement.
(c) VTX warrants that: (i) it will perform the Services Agreement and the Services in a good, workmanlike and professional manner, in accordance with all applicable professional standards; (ii) VTX has and shall maintain all required licenses, consents, approvals, and permits necessary to perform the Services and provide the deliverables under this Services Agreement; (iii) all persons performing the Services shall have the appropriate knowledge, training and experience to perform the Services; (iv) the Office Plus Software shall substantially conform to and operate pursuant to the applicable specifications provided to User; and (v) VTX shall use due care when accessing User’s computer systems and shall not take any actions that would cause harm to such systems or any data thereon.

15. PARTICIPATION IN STATE AND FEDERAL PROGRAMS. Each Party represents that it is not debarred, suspended or otherwise ineligible to participate in any state or federal program. If either Party during the term of this Services Agreement becomes, debarred,

suspended or otherwise ineligible to participate in any state or federal program, the other Party may terminate this Agreement immediately.

16. SOFTWARE INFRINGEMENT AND REMEDIES. In the event an injunction is obtained against use of the Office Plus Software, which injunction is not contested and removed or vacated within a reasonably prompt time by VTX, VTX shall promptly, in addition to its obligations in subsection (i) above, at its option and expense, either:
(a) Procure for User the right to continue to use the infringing Office Plus Software;
(b) Replace or modify the infringing Office Plus Software to make its use non- infringing while being capable of performing the same function without degradation of performance, or
(c) Terminate this Services Agreement and return to User amounts paid by User under this Services Agreement any amounts paid that are attributable to any period after the termination of this Services Agreement.

17. AUDIT AND DATA PROTECTION. VTX shall establish and maintain appropriate safeguards to prevent the destruction, loss or alteration of User data in the possession or control of VTX. Such safeguards shall be no less rigorous than (i) those maintained by VTX for its own data of a similar nature; (ii) those maintained by VTX for its other customers’ data of a similar nature; (iii) those generally used in the applicable industry; and (iv) those required by applicable laws and regulations (including, but not limited to, all applicable privacy and confidentiality laws and regulations). User shall have the right (but not the obligation) to establish backup security for User data and to keep backup User data and User data files in its possession if it chooses.
Each Party shall keep and maintain complete books and records pertaining to the products and services provided under an Agreement. During the term of this Agreement and any extensions thereof, and for a period of one (1) year after expiration or termination of all Agreements, either Party, or any independent third party accounting firm or other agent designated by such Party, shall have the right during regular business hours, upon at least seventy-two (72) hours’ prior notice, to access and audit the other Party’s applicable books, records and systems to ensure that Party’s compliance with the Agreement. Furthermore, each Party shall reasonably assist the requesting Party and any third party designated by the requesting Party with such audits. Such audits shall not unreasonably interfere with the audited Party’s business operations.

18. MISCELLANEOUS. Each Attachment shall incorporate by reference the provisions of this Services Agreement as though such provisions were set forth therein in their entirety; provided that, any provisions of the Attachments holding User or VTX to more stringent requirements shall prevail over less stringent provisions of this Services Agreement. All provisions of this Services Agreement shall be binding upon the Parties hereto, their respective successors, legal representatives and assigns. The electronic execution and

performance of this Services Agreement by each Party has been duly authorized by an individual with the authority to bind each Party to its terms. No waiver by any Party hereto of any of its rights under this Services Agreement shall be effective unless in writing and signed by an officer of the Party waiving such right. This Services Agreement may not be modified except by a writing signed by each of the Parties hereto. The descriptive headings of the several sections hereof are inserted for convenience only and shall not control or affect the meaning or construction of any of the provisions hereof. Wherever possible each provision of this Services Agreement shall be interpreted in such manner as to be effective and valid under applicable law, but if any provision of this Services Agreement shall be prohibited by or invalid under applicable law, such provision shall be ineffective to the extent of such prohibition or invalidity, without invalidating or changing the remainder of such provision or the remaining provisions of this Services Agreement.

Any notice by any of the Parties to the other Party shall be in writing and shall be deemed to have been given on the earlier of (a) the date on which it is delivered personally, or
(b) four days after its deposit in the U.S. Mail, postage prepaid, certified with return receipt requested, and addressed to User at the address provided during the registration process and to VTX at following address: 5850 Coral Ridge Drive, Suite 304, Coral Springs, FL 33076 Attention: Kyle Miko.
This Services Agreement constitutes the entire agreement of the Parties hereto with respect to the subject matter hereof and cancels and supersedes any and all prior written or oral contracts or negotiations between the Parties hereto with respect to the subject matter hereof. This Services Agreement shall not be valid or enforceable until it is accepted by User and VTX.

ATTACHMENT A LICENSE TERMS AND FEES

LICENSE TERMS

• All rights not expressly granted to User by the VTX Services Agreement (including this Attachment A) are reserved for VTX. Without limiting the generality of the previous sentence, and except to the extent specifically permitted in this Attachment A, User may not: (a) modify the Office Plus Software or separate out any of its components for use with other software; (b) permit another person other than User’s designees to use the Office Plus Software; (c) decompile, disassemble, or otherwise reverse engineer the Office Plus Software; (d) remove, obscure or alter any notice of copyright, trademark or other proprietary right present on or in the Office Plus Software or (e) resell the Office Plus Software or provide the Office Plus Software to or on behalf of other entities. User understands that the Office Plus Software is licensed to User and not sold. VTX retains title to and ownership of all right, title and interest, including all intellectual property rights in and with respect to the Office Plus Software, materials and documentation.

• VTX may occasionally provide updates and modifications to the Office Plus Software in its sole and absolute discretion. VTX does not warrant that there will be any specified number of updates or modifications, if at all, to the Office Plus Software, or that any or all errors will be addressed or resolved by an update or modification. VTX has no obligation to notify User of any modifications or changes to the software. Notwithstanding the foregoing, to the extent VTX accesses User’s computer software, installs any software or other products or data on User’s computer software and/or provides any software or other products or data to User to install on User’s computer software, User shall use due care when doing so and shall not take any actions that would cause harm to such software or any data thereon. VTX represents and warrants that it shall use commercially reasonable efforts so that no computer viruses, Trojan horses, worms or other malware are coded or introduced into the User’s computer systems, or any software, products or other deliverables provided by VTX. Such commercially reasonable efforts shall include, but not be limited to, the use of current industry standard protections (e.g., up-to-date virus protection software).

• User agrees to use the Office Plus Software provided by VTX only for lawful purposes. Transmission or publication of any information, data or material in violation of any U.S. Federal, state or foreign regulation or law, including export control laws, is prohibited. This includes, but is not limited to, material protected by copyright, trade secret, privacy rights, or any other statute.

• Except as expressly provided herein, the Office Plus Software is provided to User “AS- IS” and VTX makes no warranties of any kind, whether expressed or implied, for the Office Plus Software or any other service VTX provides. User and VTX also disclaims any warranty of merchantability, fitness for a particular purpose, title and non-infringement. Except as expressly provided herein and to the extent of any willful or intentional conduct of VTX, VTX

is not responsible for damages User suffers from use of the Office Plus Software, including loss of data resulting from delays, non-deliveries, mis deliveries, data-entry errors, incorrect diagnoses (including by User’s agents or other representatives), service interruptions or security breaches, whether caused by User’s or VTX’s negligence, User’s errors or omissions, or due to the fault of third parties. Neither VTX or User nor their affiliates or agents shall be liable for any lost profits, lost data, special, incidental, consequential, indirect or exemplary damages, even if advised of the possibility of such damages. VTX’s and User’s liability under this Services Agreement, whether arising under theory of contract, tort (including negligence), and strict liability or otherwise, shall in no event exceed the amount of any fees paid by User to VTX. Notwithstanding anything in this Services Agreement to the contrary, no liability limit shall apply to VTX’s infringement of User’s or its affiliate or any third party’s intellectual property.

• VTX does not and cannot control the flow of data to or from the Office Plus Software. Such flow depends in large part on the performance of internet service providers or is otherwise controlled by third parties. At times, actions or inactions of such third parties can impair or disrupt or slow connections to the Internet (or portions thereof). Although VTX
will use commercially reasonable efforts to remedy such VTX events, VTX cannot guarantee that such events will not occur. Accordingly, except with respect to VTX’s obligation in the preceding sentence and remedies within VTX’s reasonable control, VTX disclaims any and all liability, express or implied, resulting from or related to communication or data transmission failures or latencies or security breaches, to the extent permitted under applicable law.

• User acknowledges and agrees that the provisions under this Attachment A that limit liability, disclaim warranties, or exclude consequential damages or other damages or remedies are essential terms of this Services Agreement that are fundamental to the Parties’ understanding regarding allocation of risk. Accordingly, such provisions shall be severable and independent of any other provisions and shall be enforced as such, regardless of any breach or other occurrence hereunder. Without limiting the generality of the foregoing, User agrees that all limitations of liability, disclaimers of warranties, and exclusions of consequential damages or other damages or remedies shall remain fully valid, effective and enforceable in accordance with their respective terms, even under circumstances that cause any exclusive remedy under the Services Agreement to fail of its essential purpose.

• Upon notice, published online by VTX, by email to User, or through whatever other means as determined by VTX, VTX may modify the terms and conditions of this license, as well as discontinue or change the services offered. User’s continued use of the Office Plus Software after the effective date of any such notice constitutes acceptance of the terms of this, as modified.

• Through use of the Office Plus Software, VTX and its service providers (including Google Analytics) may, in compliance with all applicable laws, collect and track certain information such as browser type, time spent on the Office Plus Software, pages visited, language preferences, and other anonymous traffic data, using cookies or other similar technologies

VTX and our service providers may use the information for security purposes, to facilitate navigation, display information more effectively, and to personalize the User experience while using the Office Plus Software. More information is available at www.google.com/policies/privacy/partners/.

• User shall ensure that its webpage on the Office Plus Software and any content User posts thereon complies with applicable laws and regulations, and User will provide a privacy policy to the extent so required.

• PRICING: Office Plus Software pricing is $5.00 for each patient data upload.

• Billing and Payment
VTX will invoice User on or before day seven (7) of each month, $5.00 for each patient data uploaded in the prior month. Invoices are due thirty (30) days from invoice date. Past due invoices will accrue a 1.5% per month interest charge. VTX reserves the right to change the price per patient data upload , upon a ninety-day written notice.

ATTACHMENT B
BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement”) entered into this {dateSigned},  (“Effective Date”) by and between {companyName} (“Covered Entity”) with its principal place of business at {CompanyAddress}, and VirtuOx, Inc. ("Business Associate”) with its principal place of business at 5850 Coral Ridge Drive, Suite 304, Coral Springs, FL 33076.

INTRODUCTION

1.1 This Agreement governs the terms and conditions under which Business Associate will access PHI belonging to patients of VirtuOx in performing services for, or on behalf of, VirtuOx. Specifically, this Agreement governs the terms and conditions under which Business Associate will provide Underlying Services, as defined below, to VirtuOx.

1.2 Covered Entity and Business Associate intend to: (a) protect the privacy and provide for the security of PHI disclosed pursuant to this Agreement and (b) comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), Public Law 111-5, and other regulations promulgated by the U.S. Department of Health & Human Services (“HIPAA Regulations”) and other regulations promulgated by the U.S. Department of Health & Human Services as well as applicable federal and state privacy laws or other applicable laws.

DEFINITIONS

2.1 Unless otherwise defined in this Agreement, the Terms used in this Agreement including “Designated Record Set,” “Disclosure,” “Notice of Privacy Practices,” and “Required by Law,” shall have the same meaning as those terms in the HIPAA Regulations.

2.2 For purposes of this Agreement:

2.2.1 “Breach” means the acquisition, access, use, or disclosure of Protected Health Information, as defined below, in a manner not permitted under Subpart E of 45 CFR Part 164 that compromises the security or privacy of the Protected Health Information (within the meaning of, and subject to the exceptions set forth in, 45 CFR 164.402).

2.2.2 “Designated Record Set” shall have the meaning given to such term under the Privacy Rule, as defined below, including, but not limited to, 45 CFR 164.501.

2.2.3 “Electronic Protected Health Information” means Protected Health Information, as defined below, that is transmitted by or maintained in electronic media as defined in 45 CFR 160.103.

2.2.4 “Individual” shall have the same meaning as the term “Individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

2.2.5 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 164, subparts A and E.

2.2.6 “Protected Health Information” or "PHI" shall have the same meaning as the term “protected health information” in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

 

2.2.7 “Underlying Services” shall mean the services performed by Business Associate for Covered Entity, pursuant to an Underlying Services Agreement, as defined below, only to the extent that said services involve the creation, maintenance, use, disclosure or transmission of PHI.

2.2.8 “Underlying Services Agreement” shall mean the written agreement(s), other than this Agreement, by and between the parties as amended from time to time pursuant to which Business Associate has access to, receives, maintains, creates or transmits PHI for or on behalf of Covered Entity in connection with the provision of the Underlying Services or performance of Business Associate’s obligations under said agreements.

OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to:

3.1 Use and Disclosure. Not use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law.

3.2 Appropriate Safeguards. Use appropriate physical, technical, and administrative safeguards (a) to prevent use or disclosure of PHI other than as permitted under this Agreement or as Required By Law and (b) to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

3.3 Assurances. Provide Covered Entity with written assurances that any PHI placed on any type of mobile media, including, but not limited to: laptop computers, tablets, mobile phones, etc., is encrypted in accordance with guidance issued by the Secretary of the U.S. Department of Health & Human Services (“Secretary”).

3.4 Breach Reporting. Report in writing to Covered Entity within two (2) business days after discovery, any suspected or actual: (a) access, use or disclosure of PHI not permitted by this Agreement; (b) Breach of unsecured PHI in accordance with 45 CFR 164.410; (c) security breach or intrusion; (d) use or disclosure of PHI in violation of any applicable federal or state laws or regulations. Business Associate has implemented or will implement a reasonable system for discovery of Breaches.

3.5 Mitigation. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

3.6 Agents and Subcontractors. Ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information.

3.7 Access to PHI. In the event that the Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to provide access, within ten (10) days of a request by Covered Entity in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.

3.8 Amendment of PHI. In the event that the Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, within ten (10) days of receipt of a request from Covered Entity and in the time and manner designated by Covered Entity.

3.9 Document Disclosures. Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.

3.10 Accounting of Disclosures. Within ten (10) days of notice by Covered Entity of a request for an accounting of disclosures of PHI, provide to Covered Entity, in the time and manner designated by Covered Entity, information collected in accordance with Section 3.9, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.

3.11 Compliance with Applicable Requirements. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164 (governing security and privacy of PHI), comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).

3.12 Electronic Transactions. If Business Associate conducts any Standard Transaction for or on behalf of Covered Entity, Business Associate shall comply with the requirements under the Electronic Transaction Rule (as those terms are defined in the Security Rule).

3.13 Government Access. Make internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. In the event such a request comes directly from the Secretary, Business Associate agrees to notify Covered Entity immediately of such request.

3.14 Inspection. Within ten (10) business days of a written request by Covered Entity, Business Associate and its agents or subcontractors, if any, shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI pursuant to this Agreement for the purpose of determining whether Business Associate has complied with this Agreement; provided, however, that (a) Business Associate and Covered Entity will mutually agree in advance upon the scope, location and timing of such an inspection, and (b) Covered Entity will protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such inspection.

3.15 Identity Theft. Implementation of an Identity Theft Monitoring Policy and Procedure, to protect any patient information that may be breached by the Business Associate to the extent applicable under the Federal Trade Commission's Red Flag Rules.

3.16 HITECH Compliance.

Business Associate shall:

3.16.1 not receive, directly or indirectly, any impermissible remuneration in exchange for PHI or Electronic PHI, except as permitted by HITECH § 13405(d) or the HIPAA Regulations;

3.16.2 comply with the marketing and other restrictions applicable to business associates contained in HITECH § 13406 and the HIPAA Regulations;

3.16.3 to the extent required under HITECH § 13404, fully comply with the applicable requirements of 45 CFR 164.502(e)(2) for each use or disclosure of PHI

3.16.4 to the extent required under HITECH § 13401, fully comply with 45 CFR 164.308, 164.310, 164.312, and 164.316;

3.16.5 to the extent required under HITECH §§ 13401 and 13404, comply with the additional privacy and security requirements that apply to covered entities in the same manner and to the same extent as Covered Entity is required to do so; and

3.16.6 to the extent required under the HIPAA Regulations, comply with the privacy and security requirements that apply to business associates.

3.17 State Privacy Laws. Business Associate shall understand and comply with state privacy laws to the extent that such state privacy laws are not preempted by HIPAA or HITECH.

OBLIGATIONS OF COVERED ENTITY

4.1 Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.

4.2 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

Except as otherwise limited in this Agreement:

5.1 Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

5.2 Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

TERM AND TERMINATION

6.1 Term. This Agreement shall be effective on date hereof and the obligations set forth in this Agreement shall terminate only when all of the PHI provided by Covered Entity to Business Associate, shall terminate only when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Article 6.

6.2 Termination for Cause. Upon VirtuOx’s knowledge of a material breach by Business Associate, VirtuOx shall either: i.) provide an opportunity for Business Associate to cure the breach or end the violation; ii.) immediately terminate this Agreement and any Underlying Services Agreement(s) if Business Associate has

breached a material term of this Agreement and cure is not possible; iii.) if neither termination nor cure is feasible, VirtuOx shall report the violation to the Secretary.

6.3 Automatic Termination. This Agreement will automatically terminate upon completion of Business Associate’s duties under all Underlying Services Agreement(s) between Business Associate and VirtuOx or by mutual written agreement to terminate all Underlying Service Agreement(s).

6.4 Effect of Termination. Except as provided in this Section 6.4, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction not feasible. Upon mutual agreement of the parties that return, or destruction of PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

NOTICES

7.1 All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below:

If to Business Associate, to:

VirtuOx, Inc.
5850 Coral Ridge Drive, Suite 304, Coral Springs, FL 33076
ATTN: Chief Compliance & Privacy Officer
Telephone: (877) 337-7111
Email: Compliance@VirtuOx.net

 

If to Covered Entity, to 

{companyName}
{notificationCompany}
{notificationAttention}
{notificationPhone}
{notificationEmail}

MISCELLANEOUS PROVISIONS
8.1 Amendment. Business Associate and VirtuOx agree to take such action as is necessary to amend this Agreement in order for VirtuOx to: (a) protect the privacy and provide for the security of PHI disclosed pursuant to this Agreement and (b) comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), Public Law 111-5, and other regulations promulgated by the U.S. Department of Health & Human Services as well as applicable federal and state privacy laws or other applicable laws. This Agreement may be amended only in a writing signed by both parties.
8.2 No Third-Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon a person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

8.3 Other Applicable Law. This Agreement does not, and is not intended to, abrogate any responsibilities of the parties under any other applicable law.
8.4 Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Covered Entity, its directors, officers, employees, contractors and agents, against, and in respect of, any and all claims, losses, expenses, costs, damages, obligations, penalties, and liabilities which Covered Entity may incur by reason of Business Associate’s breach of or failure to perform any of its obligations pursuant to this Agreement. Further, Business Associate agrees to indemnify, defend, and hold harmless Covered Entity, its directors, officers, employees, contractors and agents, against all costs and expenses, including but not limited to, reasonable legal expenses, which are incurred by or on behalf of Business Associate in connection with the defense of such claims.
8.5 Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself, and any subcontractors, employees, affiliates or agents assisting Business Associate in the performance of its obligations under this Agreement, available to Covered Entity, at no cost to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its directors, officers or employees based upon a claimed violation of HIPAA, HITECH, the HIPAA Regulations, or other laws relating to security and privacy, except where Business Associate or its subcontractor, employee or agent is named adverse party.
8.6 Survival. The respective rights and obligations of Business Associate under this section shall survive the termination of this Agreement.
8.7 Ownership of Information. Covered Entity holds all right, title, and interest in and to the PHI and Business Associate does not hold and will not acquire by virtue of this Agreement or by virtue of providing goods or services to Covered Entity, any right, title, or interest in or to the PHI or any portion thereof.
8.8 Right to Injunctive Relief. Business Associate expressly acknowledges and agrees that the breach, or threatened breach, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered Entity may not have an adequate remedy at law. Therefore, Business Associate agrees that upon such breach, or threatened breach, Covered Entity will be entitled to seek injunctive relief to prevent Business Associate from commencing or continuing any action constituting such breach without having to post a bond or other security and without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to limit or abridge any other remedy available to Covered Entity at law or in equity.
8.9 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Regulations.
8.10 Severability. In the event any part or parts of this Agreement are held to be unenforceable, the remainder of this Agreement will continue in effect.
8.11 Effect of Agreement. With respect solely to the subject matter herein, the case of any conflict in terms between this Agreement and any other previous agreement or addendum between the parties, the terms of this Agreement shall control and supersede and nullify any conflicting terms as it relates to the parties in a business associate relationship.
8.12 Execution in Counterparts. This Agreement may be executed in counterparts, each of which will constitute an original and all of which will be one and the same document.

THIS SECTION INTENTIONALLY LEFT BLANK

IN WITNESS WHEREOF, the parties have hereunto set their hands on the day and year first above written.

Vendor / Consigner 

VirtuOx, Inc

 

Signor Name:________________________

 

Signature: __________________________

 

Company / Covered Entity:

{companyName}

{CompanyAddress}

{signorName}