WELLSKY FINANCIAL SERVICES LLC
Master Services Agreement

This Master Services Agreement (the “Agreement”) applies to any Order Form or other document by and between WellSky Financial Services LLC (“WellSky”) with offices at 11300 Switzer Rd, Overland Park, KS 66210 and its client (“Client”) that incorporates this Agreement by reference.  Each of Client and WellSky may be referred to herein individually as a “Party” and together as the “Parties”.  The Parties agree as follows:

  1. Engagement

1.1.    Client will engage WellSky to provide services and deliverables from time to time, on a project by project basis, subject to the terms of this Agreement, each project to be described in an order form (“Order Form”) for each project and approved in writing by authorized representatives of each Party prior to commencement of work. Unless otherwise agreed between the Parties, engagements hereunder will either be on a “Time and Materials” basis, meaning WellSky will be compensated for the amount of time worked, and be reimbursed for project related expenses, or on a “Fixed Price” basis, meaning WellSky will be compensated based on completion of specified deliverables and expenses as defined within a given Order Form.

1.2.    WellSky is and will continue to be an independent contractor in connection with performance of the services hereunder.

1.3     Client will provide WellSky with timely access to Client’s facilities and to an adequate work area to perform the services, and will provide timely participation of Client’s functional and/or information technology staff as necessary for the delivery of the services.

  1. Fees & Expenses

2.1     WellSky’s provision of services under this Agreement is conditioned upon Client’s payment of the appropriate fees for the services as described in the Order Form, together with travel and living expenses incurred in connection with the services, and this Agreement creates a binding payment obligation. All fees for the services and all travel and living expenses are invoiced as incurred or as otherwise provided in the Order Form, and are payable within thirty (30) calendar days after invoice date, and interest shall accrue on invoiced amounts not paid within such thirty (30) calendar days after invoice date at the lower of 1.5 percent (1.5%) per month for each month that payment is not received by WellSky, or the maximum percentage allowed by applicable law. WellSky may invoke any or all available remedies if any payment is not made when due, including the right to suspend its performance under this Agreement without any liability to Client for any damages arising from or related to such suspension of performance.  Client will reimburse WellSky for all costs and expenses arising from WellSky’s collection of amounts due under this Agreement, including, without limitation, reasonable attorneys’ fees.  All fees may be increased by WellSky once annually commencing one (1) year following the Effective Date of the applicable Order Form at a rate not to exceed five percent (5%).

2.2     All such fees are exclusive of taxes, and Client will pay or reimburse all sales, use, VAT or excise taxes, duties, or assessments arising on or measured by amounts payable to WellSky hereunder.

  1. Term and Termination

3.1     This Agreement shall commence on the Effective Date and shall remain in effect until all Services provided hereunder expire or are terminated, or sooner as provided in this Section 3. Either Party may terminate this Agreement and/or an Order Form hereunder if (i) the other Party materially breaches this Agreement and the fails to cure such breach within sixty (60) days after receipt of written notice of the same, except in the case of failure to pay fees when due, which must be cured within ten (10) days after receipt of written notice from WellSky; or (ii) the other Party becomes the subject of a voluntary proceeding relating to insolvency, receivership, liquidation, bankruptcy, or composition for the benefit of creditors and such petition or proceeding is not dismissed within sixty (60) days of filing.

3.2     Termination of this Agreement or an Order Form shall not relieve either Client or WellSky of any obligation to the other Party in accordance with the terms of this Agreement with respect to obligations that survive this Agreement.

3.3     The terms and conditions in this Agreement that by their nature and context are intended to survive any termination of this Agreement, including, without limitation, Sections 2, 3, 4, 5, 6, 7 and 8, will survive such termination of this Agreement for any reason and will be fully enforceable thereafter.

  1. Ownership and Other Rights

4.1     No product or service provided under this Agreement will be deemed a “work-made-for-hire,” and all ownership, copyright, patent, trade secret, and other rights in all deliverables (including, but not limited to, ideas, know-how, or techniques) made or conceived by WellSky during the term of this Agreement which directly relate to the services, or which directly result from any services performed by WellSky for Client, or which make use of WellSky’s intellectual property (the “Work Product”), will be the rights and property solely of WellSky, whether developed independently by WellSky or jointly with others, and whether or not WellSky uses, registers, or markets the same. Client will assist WellSky as reasonably requested to evidence and enforce WellSky’s rights in and ownership of the Work Product.  WellSky will retain all title to and ownership of all proprietary documentation, software, techniques, tools, and processes used by WellSky in providing the services, and except as expressly provided in Section 4.2 below, no licenses or other rights are transferred or granted to Client under this Agreement or any Order Form or pursuant to the performance of any services under this Agreement or any Order Form, including any license by implication, estoppel, or otherwise.

4.2     Conditional on payment of all required fees and Client’s compliance with the terms of this Agreement, WellSky grants Client a non-exclusive right to use the Work Product delivered under this Agreement for Client’s internal use. Client agrees to exercise the same level of care against unauthorized use by, or disclosure to, third parties as Client uses with respect to its own proprietary information of comparable importance, provided that in no event will the Client use less than reasonable care. The Client may not transfer the Work Product, or the license thereto, to any other party.

  1. Warranties & Limitations on Liability

5.1     Client warrants that (a) it has the legal right to enter into this Agreement, and (b) all information it is furnishing to WellSky is true, accurate, and complete.

5.2     WellSky warrants that it has the legal right to enter into this Agreement and to provide the services to Client, and that the services will be performed in a professional manner.  If Client is dissatisfied with the performance of any services, Client will within thirty (30) calendar days following the completion of the services in question provide WellSky written notice describing the specific basis for such dissatisfaction, and Client’s sole and exclusive remedy for any breach of the warranty set forth herein shall be for WellSky to use commercially reasonable efforts to re-perform such services to the warranted level.

5.3     THE EXPRESS WARRANTIES ABOVE ARE IN LIEU OF ALL OTHER WARRANTIES, AND WELLSKY MAKES NO REPRESENTATIONS OR WARRANTIES CONCERNING THE SERVICES, EXPRESSED OR IMPLIED, EXCEPT AS EXPRESSLY PROVIDED HEREIN, AND EXPRESSLY DISCLAIMS TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW ANY AND ALL OTHER WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR SKILL AND CARE.  ANY IMPLIED WARRANTIES THAT BY LAW CANNOT BE DISCLAIMED ARE LIMITED IN DURATION TO THE GREATER OF (A) NINETY (90) DAYS FROM THE DATE OF THIS AGREEMENT, OR (B) THE SHORTEST PERIOD PERMITTED BY LAW.

5.4     WELLSKY’S TOTAL LIABILITY FOR DAMAGES TO CLIENT FOR ANY CAUSE WHATSOEVER ARISING UNDER OR RELATED TO THIS AGREEMENT, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, SHALL NOT EXCEED THE TOTAL FEES PAID TO WELLSKY UNDER THE ORDER FORM FOR THE AFFECTED SERVICES DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.  IN NO EVENT WILL WELLSKY OR ITS AFFILIATES BE LIABLE FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, PUNITIVE DAMAGES, OR LOST PROFITS, BASED UPON BREACH OF WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF WELLSKY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY A THIRD PARTY AGAINST CLIENT.  WellSky shall not be deemed to be engaged, directly or indirectly, in the practice of medicine or the dispensing of medical services, nor shall it be responsible or liable for the use, application or interpretation of any information, results or product generated by or resulting from the services or arising from the Client’s use of the services.

  1. Confidentiality and Non-Disclosure

6.1     “Confidential Information” means (i) the terms and conditions of this Agreement, and (ii) all other information of a confidential or proprietary nature disclosed by one Party to the other Party in connection with this Agreement which is either (x) disclosed in writing and clearly marked as confidential at the time of disclosure or (y) disclosed orally and clearly designated as confidential in a written communication to the receiving Party within seven (7) days following the disclosure.  “Confidential Information” shall not include information (a) publicly available through no breach of this Agreement, (b) independently developed or previously known to it, without restriction, prior to disclosure by the disclosing Party, (c) rightfully acquired from a third-party not under an obligation of confidentiality.

6.2     Each Party shall (a) secure and protect the Confidential Information using the same degree or greater level of care that it uses to protect such Party’s own confidential information, but no less than a reasonable degree of care; (b) use the Confidential Information of the other Party solely to perform its obligations or exercise its rights under this Agreement; (c) require their respective employees, agents, attorneys, and independent contractors who have a need to access such Confidential Information to be bound by confidentiality obligations sufficient to protect the Confidential Information; and (d) not transfer, display, convey, or otherwise disclose or make available all or any part of such Confidential Information to any third-party.  Either Party may disclose the other Party’s Confidential Information to the extent required by applicable law or regulation, including without limitation any applicable Freedom of Information or sunshine law, or by order of a court or other governmental entity, in which case the disclosing Party shall notify the other Party as soon as practical prior to such disclosure and an opportunity to respond or object to the disclosure.

  1. Indemnification.

7.1     Client shall defend, indemnify and hold WellSky and its officers, directors, and employees harmless from and against any third-party claims, suits, liabilities, obligations, judgments, and causes of action (“Third-Party Claims”) and associated costs and expenses (including reasonable attorneys’ fees) to the extent arising out of or resulting from Client’s use of the Services, or any claim by any party receiving services from Client in connection with the Services.

7.2     To be indemnified, the party seeking indemnification must:  (a) give the other party timely written notice of such Third-Party Claim (unless the other party already has notice); provided, however, that failure to give such notice will not waive any rights of the indemnified party except to the extent that the rights of the indemnifying party are prejudiced thereby, and; (b) give the indemnifying party authority, information, and assistance for the Third-Party Claim’s defense and settlement.  The indemnifying party has the right, at its option, to defend the Third-Party Claim at its own expense and with its own counsel.  The indemnified party has the right, at its option, to join in the defense and settlement of such Third-Party Claim and to employ counsel at its own expense, but the indemnifying party shall retain control of the defense. The indemnifying party has the right to settle the claim so long as the settlement does not require the indemnified party to pay any money or admit any fault without the indemnified party’s prior written consent, which will not be unreasonably withheld, conditioned, or delayed.

  1. Regulatory Compliance

8.1     WellSky shall make available to the Secretary of Health & Human Services or Comptroller General of the United States its books, documents, and records necessary to verify the nature and extent of the costs of those Services.  Said access shall be limited to a period of four (4) years after the provision of the applicable services hereunder.

8.2     The Parties agree to the terms of the Business Associate Exhibit that is attached hereto as Exhibit A.

  1. General Provisions

9.1     Client shall remain solely and exclusively in control of all aspects of its health care services.  WellSky shall neither have nor exercise any control or discretion over Client’s provision of any health care services.  It is further understood and agreed that WellSky may rely upon information that Client furnishes to WellSky and that WellSky reasonably believes to be accurate and reliable. Except as herein provided, WellSky shall not be responsible for any loss suffered by Client due to Client’s action or failure to act on the advice or recommendations made by WellSky or its employees, attorneys, or agents.

9.2     All notices, demands or other communications under this Agreement will be in writing, will reference this Agreement, and will be deemed given (a) when delivered personally, (b) five (5) days after having been sent by registered or certified mail, return receipt requested, or (c) one (1) day after deposit with a commercial overnight carrier, with written verification of receipt. All communications will be sent, in the case of WellSky, to the attention of President and General Counsel at the address set forth above, and in the case of Client, to the attention of the contact and at the address set forth in the applicable Order Form, subject to modification by giving notice as provided herein.

9.3     This Agreement, including all Order Forms referencing this Agreement, each of which are incorporated herein by this reference, constitutes the entire agreement between the parties with respect to the subject matter hereof. This Agreement supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter, and it will supersede any and all conflicting provisions of any order document(s) between the Parties. This Agreement may be modified, amended or waived only by a written instrument signed by duly authorized representatives of both Parties.

9.4     Due to the nature of services provided by WellSky, in no event will WellSky be liable for any claim, loss, liability, correction, cost, damage or expense caused by WellSky where Client has not reported to WellSky the claim, loss, liability, damage or expense within thirty (30) days of Client’s knowledge of loss or liability.  Neither Party may bring any action arising out of or otherwise associated with this Agreement or the rights granted hereunder (other than failures to pay) more than two years after the cause of action accrues.

9.5     If Client submits its own terms which add to, vary from, or conflict with the terms herein in Client’s acceptance of a price quotation or in a purchase order, or to WellSky’s employees, agents, and/or contractors in the course of WellSky providing the services, any such terms are of no force and effect and are superseded by this Agreement.

9.6     This Agreement shall be governed by, construed, and interpreted in accordance with the laws of the State of Kansas, excluding its rules of conflicts of law.  Parties hereby consent and submit to the courts located solely in the State of Kansas.

9.7     Client acknowledges that any breach by Client of Section 4 or 6 of this Agreement shall cause WellSky irreparable harm not compensable with money damages, and that in the event of such breach, WellSky shall be entitled to seek injunctive relief, without bond, from any court of competent jurisdiction.

9.8     Client may not assign this Agreement or any of the rights granted hereunder, including any assignment or transfer incident to the acquisition of Client’s equity interests or merger or consolidation with another entity or by operation of law, without the prior written approval of WellSky.  This Agreement will bind and inure to the benefit of the parties and their respective permitted successors and assigns.

9.9     No failure to exercise or delay by a Party in exercising any right, power, or remedy under this Agreement operates as a waiver of such right, power, or remedy.  A single or partial exercise of any right, power, or remedy does not preclude any other or further exercise of that or any other right, power, or remedy.  A waiver is not valid or binding on the Party granting the waiver unless made in writing.  If any one or more provisions of this Agreement is determined to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions will not be affected or impaired thereby and will nevertheless be binding between the Parties.  If any provision of this Agreement is found to be invalid, illegal, or unenforceable, the parties will modify that provision in a manner that gives effect to the intent of the parties in entering into the Agreement.

9.10   Neither Party shall be liable for any loss, damages, or penalty (other than the obligation to pay money) resulting from any failure to perform due to causes beyond the reasonable control of such Party, including, but not limited to: supplier delay, acts of God, labor disputes, acts of terrorism, war, epidemic, unavailability of components, acts of governmental authorities or judicial action, compliance with laws, or material interruption in telecommunications or utility service. The delayed party shall perform its obligations within a reasonable time after the cause for the failure has been remedied, and the other party shall accept the delayed performance.

9.11   Client agrees that during the Term, and for a period of one year thereafter, such Client will not, without the prior written consent of WellSky, directly or indirectly, solicit, hire, or engage any employee of WellSky with which Client came into contact in connection with this Agreement or the identity of which Client learned as a result of this Agreement.  In the event Client intends to terminate the employment of certain Client employees otherwise providing the same or substantially similar services to Client as those to be provided by WellSky (“Services Employee(s)”), Client hereby grants WellSky the ability to solicit and hire such Services Employee(s) both prior to and following the date such Services Employee(s) are terminated by Client.

9.12   In the event a Client Order Form contains any WellSky application, resources, or services available via the internet (“Cloud Services”), the terms contained in Exhibit B shall apply to Client’s use of such Cloud Services.

9.13   In the event a Client Order Form contains medical coding services (“Coding Services”), the following terms shall apply:

(a)    Client and WellSky agree that WellSky will not be reviewing medical records for clinical appropriateness of the level of care provided, nor will WellSky be performing chart audits to verify that the number of visits and required documentation for each visit is appropriate.  All findings, conclusions, recommendations, coding, and other Work Product of WellSky will be based on the Client’s representation of the accuracy, appropriateness, and completeness of all Client provided information; including but not limited to patient status information and other entries in the patients’ medical records.

(b)   Client shall remain solely and exclusively in control of all aspects of its health care services.  WellSky shall neither have nor exercise any control or discretion over Client’s provision of any health care services, including but not limited to its collection of OASIS and/or HIS patient status data and its assessments.

Exhibit A
BUSINESS ASSOCIATE Agreement

Background

  1. Covered Entity and WellSky have entered into the Agreement, pursuant to which Covered Entity has licensed software from Business Associate and Business Associate provides implementation, maintenance, support, and other services to Covered Entity.
  2. Covered Entity possesses Protected Health Information that is protected under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the regulations promulgated thereunder by the United States Department of Health and Human Services (collectively, “HIPAA”), and is permitted to use or disclose such Protected Health Information only in accordance with HIPAA and the Regulations.
  3. Business Associate may have access to and may receive Protected Health Information from Covered Entity in connection with its performance of services under the Agreement. The Agreement may from time to time require the Business Associate’s receipt, Use, and/or Disclosure of Protected Health Information (PHI) from Covered Entity.
  4. The provisions of this BAA are intended in their totality to implement the HIPAA regulations as they concern Business Associate Agreements. The provisions of the Agreement will remain in full force and effect and are amended by this BAA only to the extent necessary to effectuate the provisions set forth herein.

Terms

  1. Definitions. All capitalized terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the Regulations.
    1. Business Associate shall mean WellSky Corporation.
    2. Covered Entity shall mean Client.
    3. Individual shall have the same meaning as the term “individual” in 45 CFR § 160.103 of the Regulations and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g) of the Regulations.
    4. Regulations shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C; 45 CFR § 164.314, and the Health Information Technology for Economic and Clinical Health Act (HITECH), as it directly applies, as in effect on the date of this BAA.
    5. Protected Health Information shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    6. Required by Law shall have the same meaning as the term “required by law” in 45 CFR § 164.103 of the Regulations.
    7. Secretary shall mean the Secretary of the Department of Health and Human Services or his/her designee.
    8. Security Incident shall have the same meaning given to such term in 45 CFR § 164.304, but shall not include (i) unsuccessful attempts to penetrate computer networks or servers maintained by Business Associate; and (ii) immaterial incidents that occur on a routine basis, such as general “pinging” or “denial of service” attacks, that do not result in the system being taken offline.
  2. Obligations and Activities of Business Associate.
    1. Business Associate agrees to comply with the requirements of the Privacy and Security Rules directly applicable to Business Associates through the HITECH Act.
    2. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this BAA, the Privacy and Security Rules, the Agreement, or as required by law. Such disclosures shall be consistent with the “minimum necessary” requirements of the Regulations.
    3. Business Associate agrees to use reasonable and appropriate safeguards to protect against the use or disclosure of the Protected Health Information other than as provided for by this BAA or the Agreement.
    4. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA.
    5. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by the BAA of which it becomes aware.
    6. Business Associate shall notify Covered Entity of a breach of the Privacy Rule relating to the impermissible use or disclosure of Protected Health Information provided to the Business Associate for purposes of carrying out its obligations under the Agreement. Unless otherwise required by law or agreed to by the parties, it shall be the responsibility of Covered Entity to communicate with affected individual(s), the Secretary and the media information regarding the unintended use or disclosure.
    7. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same or similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
    8. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner mutually agreed upon by the parties, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524 of the Regulations. In the event a request for access is delivered directly to Business Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.
    9. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity, Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 of the Regulations at the request of Covered Entity or an Individual, and in the time and manner mutually agreed upon by the parties. In the event a request for amendment is delivered directly to Business Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.
    10. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary, in a time and manner reasonably designated by Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Regulations.
    11. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 of the Regulations.
    12. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner mutually agreed, information collected in accordance with Section 2(k) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 of the Regulations. In the event a request for accounting is delivered directly to Business Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.
    13. Notwithstanding anything to the contrary in the Agreement, any reporting or notification obligations of Business Associate pursuant to this BAA shall be provided to Covered Entity’s registered email address and shall satisfy any such reporting or notification requirements under this BAA.
  3. Permitted Uses and Disclosures by Business Associate.
    1. Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Covered Entity in connection with the BAA and any other agreements in effect between Covered Entity and Business Associate, including without limitation the provision of software implementation and support services, provided that such use or disclosure would not violate the Regulations if done by Covered Entity.
    2. Except as otherwise expressly limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
    3. Except as otherwise expressly limited in this BAA, Business Associate may disclose Protected Health Information for disclosures that are Required By Law, or if Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
    4. Except as otherwise expressly limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
    5. Business Associate may de-identify any PHI, provided such de-identification conforms to the requirements of 45 CFR § 164.514(b), including without limitation any documentation requirements. Business Associate may Use or Disclose such de-identified information as its discretion, as such de-identified information does not constitute PHI and is not subject to the terms of this BAA; provided that such Use or Disclosure is consistent with the underlying Agreement and applicable law.
    6. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
    7. Business Associate may access, use and disclose PHI for any purposes set forth herein, including patient matching and claims data sharing, to facilitate billing, payments or claims related activities by any insurance provider, payer or similar third party to Covered Entity. Business Associate may aggregate PHI with other covered entity data for the creation and maintenance of consumer or patient health records.
  4. Obligations of Covered Entity.
    1. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.
    2. Covered Entity shall notify Business Associate of any changes in or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect the Business Associate’s use or disclosure of protected health information.
    3. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s user or disclosure of protected health information.
    4. Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
    5. Covered Entity represents and warrants it has obtained all necessary patient consents and authorizations for Business Associate’s access, use, and disclosure of PHI as set forth herein. Covered Entity shall defend, indemnify, and hold Business Associate and its officers, directors, and employees harmless from and against any third-party claims, suits, liabilities, obligations, judgments, and causes of action and associated costs and expenses (including reasonable attorneys’ fees) arising out of or resulting from Covered Entity’s failure to obtain such consents or authorizations.
  5. Electronic Data Security. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Health Information that it creates, receives, maintains or transmits to or on behalf of Covered Entity as required by the Regulations.  Business Associate further agrees to ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect it.  Business Associate agrees to promptly report to Covered Entity any security incident of which it becomes aware.
  6. Termination.
    1. Except as otherwise provided herein, this BAA shall terminate upon termination of the Agreement.
    2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate of this BAA, Covered Entity may:
      1. Provide a reasonable opportunity for Business Associate to cure the material breach or end the material violation and if Business Associate does not cure the material breach or end the material violation within a reasonable time, Covered Entity may terminate this BAA and the provisions of the Agreement that require or permit Business Associate to access Protected Health Information;
      2. If Business Associate has breached a material term of this BAA and cure is not possible, immediately terminate this BAA and the provisions of the Agreement that require or permit Business Associate to access Protected Health Information; or
      3. If neither termination nor cure is feasible, report the violation to the Secretary.

      If Covered Entity breaches, Business Associate may terminate this BAA and any Underlying Agreement 30 days after written notice.

    3. Effect of Termination.
      1. Except as provided in paragraph (2) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
      2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. In such event, Business Associate shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Except as provided herein, any termination of the maintenance program or provisions of the Agreement that permit Business Associate to access Protected Health Information shall not affect the parties’ other obligations or rights under the Agreement.
  7. Miscellaneous.
    1. Changes to Regulations.  If the Regulations are amended in a manner that would alter the obligations of WellSky as set forth in this BAA, then the parties agree in good faith to negotiate mutually acceptable changes to the terms set forth in this BAA.
    2. Survival.  The respective rights and obligations of Business Associate under Section 6(c) of this BAA shall survive the termination of this BAA.
    3. Minimum Necessary.  Covered Entity shall only provide a minimum amount of Protected Health Information necessary for the Business Associate to satisfy its obligations under the Agreement.
    4. Interpretation.  Any ambiguity in this BAA shall be resolved to permit compliance with the Regulations.
    5. Incorporation.  Except for Covered Entity, no third-party may rely on the terms, conditions, rights, remedies, or obligations hereunder.  The terms of this BAA are fully incorporated in and subject to the terms of the Agreement.
    6. Governing Law.  The choice of law and venue applicable to this BAA shall be the same as the choice of law and venue that are applicable to the Agreement.

Exhibit B
CLOUD SERVICES TERMS

This Exhibit B sets forth certain WellSky Cloud Services terms.  This Exhibit B only applies to Cloud Services. This Exhibit does not apply to any other WellSky services.

1.1. Cloud Services. During the Cloud Services term set forth in an Order Form (the “Term”), WellSky shall provide Client a non-exclusive, non-assignable, limited right to access and use the Cloud Services during the Term, solely for Client’s internal business operations and subject to the terms of this Agreement and the Order Form.  Client shall not have any physical access to the Cloud Services hardware.

1.2. Client Responsibilities. Client shall approve access for all permitted users to the Cloud Services and shall prevent unauthorized access and use of the Cloud Services.  Client shall not, and shall ensure that its permitted users do not: (i) sell, resell, lease, lend or otherwise make available the Cloud Services to a third-party; (ii) modify, adapt, translate, or make derivative works of the Cloud Services; or (iii) sublicense or operate the Cloud Services for timesharing, outsourcing, or service bureau operations.

1.3. Suspension of Services. If (a) there is a threat to the security of WellSky’s systems or the Cloud Services, or (b) Client’s undisputed invoices are sixty (60) days or more overdue, in addition to any other rights and remedies (including termination), WellSky may suspend the Cloud Services without liability until all issues are resolved.

1.4. Scope of Use. The Cloud Services are priced based on certain metrics as set forth in an Order Form. Client may only expand its use of the Cloud Services upon payment of the applicable additional fees at WellSky’s then-current rates.  Any such fees for additional scope of use will be immediately due and payable.

1.5. Audit. WellSky reserves the right to audit Client’s use of the Cloud Services.  If Client’s use is greater than contracted, Client shall be invoiced for any such use, and the unpaid Cloud Services fees shall be immediately due and payable.  If any increase in fees is required, Client shall also pay the expenses associated with the audit.

1.6. Cloud Services Warranty. WellSky warrants that when operated in accordance with its most recent documentation of the functional operation of the Cloud Services (“Documentation”) the Cloud Services shall, without material error, perform the functions as set forth in the Documentation.  Client’s sole and exclusive remedy for any breach of this warranty shall be as set forth in Section 5.2 of the Agreement.

1.7. WellSky Indemnity. WellSky shall defend, indemnify, and hold Client and its officers, directors, and employees harmless from and against any third-party claims, suits, liabilities, obligations, judgments, and causes of action (“Third-Party Claims”) and associated costs and expenses (including reasonable attorneys’ fees) to the extent  arising out of any claim that the Cloud Services infringe any currently existing United States patent or copyright, or misappropriates any trade secret, of any third-party.  If Client’s use of the Cloud Services is finally enjoined, WellSky shall, at its sole option and expense, and as Client’s sole and exclusive remedy, either:  (a) secure for Client the right to continue to use the Cloud Services; (b) replace, modify, or correct such Cloud Services to avoid such infringement, or (c) return any prepaid amounts for subscription Cloud Services not yet performed.  WellSky’s indemnification obligations shall not apply if the Third-Party Claim results from: (i) modifications of the Cloud Services by Client or third-parties; (ii) use of the Cloud Services with non-WellSky software or equipment, or; (iii) use of the Cloud Services in violation of this Agreement, applicable law, or not in conformance with the Documentation.