TERMS AND CONDITIONS FOR TSINGKE SERVICES
These Terms and Conditions shall supersede any conflicting terms and conditions of Customer. Tsingke’s commencement of the provision of Services shall not be construed as acceptance of a Customer order containing or referencing Customer terms and conditions.
(a)The term “Services” means collectively the [ Oligo Synthesis（Oligo-Rapid Synthesis、DNA and RNA Oligos）、Gene Synthesis（Standard Gene Synthesis、Economy Gene Synthesis、Site-directed mutation、DNA Cloning、Plasmid Extraction）、Modified/Probe Synthesis（Modified DNA Oligos、Probe Synthesis、RNA Synthesis、Others) ].
(b)The term “You” means any entity deploying the Services and authorized by these Terms and Conditions to use the Services.
(c)The term “Administrator” means an individual(s) who shall be Customer’s agent to i) designate employees of Customer who can use the Services (i.e. Authorized Customer Users); ii) change Customer’s employees user roles within the system; and iii) remove Customer’s users.
(d)The term “Authorized Customer User” means a person or user authorized by a Customer to access and use the Services.
(e)The term “Customer Data” means confidential and/or proprietary information of Customer, including but not limited to, any content, information, material, or data provided, posted, uploaded, transferred, published, transmitted or distributed by the Customer or a user through the Services, which may include but is not limited to genomic data, text, images, profile information, personally identifiable information, research results, gene synthesis information and other data.
(f)The term “Service Provider” means a third-party individual or entity that provides services to Tsingke in support of the Services contemplated by these Terms and Conditions.
3.1Restrictions and Requirements. Customer shall be responsible for all activities that occur under its Administrators and Authorized Customer User accounts. Customer shall: (i) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data; (ii) use commercially reasonable efforts to prevent unauthorized access to,or use of, the Services, and notify Tsingke promptly of any such unauthorized use; (iii) adhere to all Customer requirements set forth in the Description of Services; and (iv) comply with all applicable local, state, federal, and foreign laws when using the Services and, if using the Services outside of the People’s Republic of China(“China”), not use the Services in a manner that would violate any China laws if conducted therein.
3.2Use Guidelines. Customer shall and shall cause its Administrators and Authorized Customer Users to use the Services solely for its own internal research purposes as contemplated by these Terms and Conditions and shall not permit use of the Services for any diagnostic or therapeutic uses or use by any third party. Without limitation, Customer shall not: (a) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Services available to any third party, other than as contemplated by these Terms and Conditions; (b) send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (c) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violating third party privacy rights; (d) send or store material containing software viruses, worms, Trojan Horses or other harmful computer code, files, scripts, agents or programs; (e) interfere with or disrupt the integrity or performance of the Services, the data contained therein; (f) attempt to gain unauthorized access to the Services, its related systems or networks or data of other Tsingke customers; or (g) cause or permit the reverse engineering, disassembly or decompilation of the Services. Customer shall not (h) modify, copy or create derivative works based on the Services or Tsingke technology; (i) create Internet "links" to or from the Services, or "frame" or "mirror" any content forming part of the Services, or (j) disassemble, reverse engineer, or decompile the Services, or Tsingke technology, or access it in order to (I) build a competitive product or service, (II) build a product or service using similar ideas, features, functions or graphics of the Service, or (III) copy any ideas, features, functions or graphics of the Service.
3.3Research Use Only. Customer shall use the Services for research use only. Tsingke does not intend the Services to be used in or for clinical or therapeutic applications and does not warrant its fitness or suitability for any clinical diagnostic or therapeutic use. Customer is solely responsible for all decisions regarding the use of the Services and any associated regulatory or legal obligations.
4. OWNERSHIP AND USE OF CUSTOMER DATA
4.1Consent. Customer is solely responsible for the content and accuracy of the Customer Data, and Customer must provide all Customer Data for use in the Services by means of the upload services supported by Tsingke. Customer represents and warrants that it has sufficient rights and has obtained all necessary consents required to transfer, transmit, store, copy, process and have processed by a third party and use all data, including Customer Data, and software provided by Customer (“Customer Materials”) and used by Customer with the Services. Customer will obtain all necessary consents to allow Tsingke and any Tsingke third-party service providers or suppliers (“ Service Providers”) to use and process Customer Materials as set forth in these Terms and Conditions. Customer is responsible for evaluating the sufficiency of the security provided by Tsingke and Service Providers under these Terms and Conditions to its own satisfaction.
4.2Customer Data License. In respect of data that is submitted, measured, captured, transferred, processed or transmitted to provide the Services (“Customer Data”), Customer authorizes and grants Tsingke and Service Providers a non-exclusive, worldwide, royalty- free, perpetual, revocable license to use, compile, distribute, display, store, process, reproduce, and create derivative works of Customer Data (i) as needed for provision of the Services and/ or operation and maintenance of the Services or any other Tsingke or Service Provider application or other application provided by Customer to Tsingke as part of Tsingke’s standard administration of the Services, or for operation or maintenance of the Customer Data, specifically to view, store, copy, and delete any information sent to, from, or stored and (ii) to use and exploit the Customer Data as described below.
4.3Intellectual Property License. Customer grants to Tsingke and Service Providers a limited, non-exclusive, non-transferable license to use any of Customer’s intellectual property necessary to provide the services, including any genomic data, text, images, profile information, Customer Data, data, video, audiovisual content, works of authorship or other types of materials, information or communications, or hyperlinks to any of the foregoing that Customer provides, posts, uploads, publishes, transmits or distributes on or through the Services. Customer warrants that (i) the Customer Data is provided, and will be used, in accordance with all provisions of applicable law, including any laws and regulations in relation to the processing of personal data; (ii) Customer will not require Tsingke or Service Providers to engage in the provision of services in relation to the Customer Data that violates any provision of applicable law; and (iii) all disclosures and uses of Customer Data provided to Tsingke is provided in compliance with all applicable law including, without limitation, the Biosafety Act of the People's Republic of China and related and similar laws, rules and regulations, and that none of the Customer Data shall be used for underwriting, insurance, employment, benefits or other purposes except in compliance with all applicable law.
4.4De-Identified Data. Tsingke shall have no right to sublicense or resell Customer Data except, however, that Customer agrees that Tsingke and Service Providers may collect, analyze and use De-Identified Data (as defined in this paragraph below) derived from Customer Data for the following purposes: (i) generating analyses and metrics whether alone or in combination with De-Identified Data from other sources in aggregated and de-identified format (the “Analytical Results”); (ii) providing Analytical Results, reports and monitoring assessments stakeholders from time to time (at Tsingke’s discretion); (iii) developing and training Tsingke’s predictive models; (iv) conducting internal research; and (v) development and marketing. “De-Identified Data” means data in de-identified form, in which all personally identifiable information, including direct and indirect identifiers, has been permanently removed or obscured so the remaining information does not reasonably identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. Customer agrees that Tsingke and Service Providers will have the right, both during and after the Services term, to use, store, transmit, distribute, modify, copy, display, sublicense and create derivative works of De-Identified Data derived from Customer Data.
4.5Customer Data Responsibilities. Tsingke does not own any Customer Data, and Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use any Customer Data, as applicable. Tsingke and Service Providers expressly disclaim any liability for Customer Data transmitted through or stored, temporarily or permanently, on Tsingke’s or Service Providers’ networks or any server and for the actiongs or omissions of Customer with respect to such Customer Data.
4.6Date Subject Rights. All of terms set forth hereinabove, do not, in any way, preclude any data subject’s rights or obligations as set out in applicable laws.
6. DATA PROTECTION ADDENDUM
Customer acknowledges it is the Controller (as that term is defined in the General Data Protection Regulation of the European Union “GDPR”) of all Customer Data. Customer acknowledges that is has read, understands and agrees to the terms of the Data Protection Addendum located here [https://tsingke.com/pages/data-protection-addendum] to establish minimum data protection and cybersecurity standards.
7. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
To the extent Customer is considered a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Customer agrees to the terms and conditions set forth in Schedule 1: Business Associate Agreement attached hereto and herein incorporated by reference, to the extent applicable to the Services.
8. CONFIDENTIAL INFORMATION
“Customer Data” means confidential and proprietary information of Customer, including but not limited to, any content, information, material or data provided, posted, uploaded, transferred, published, transmitted or distributed by the Customer or a user through the Services, which may include but is not limited to genomic or gene synthesis data, text, images, profile information, personally identifiable information, research results or other data. “Tsingke Confidential Information” means these Terms and Conditions, any technical information regarding the Services including without limitation any information regarding information technology, system architecture, algorithms, source code, methods, equipment, gene synthesis technology as well as any financial data, marketing and sales information, concerning Tsingke or its affiliates, licensors, or third parties. Customer agrees to hold Tsingke Confidential Information in confidence and agrees not to release such information to any individual whether employee, subcontractor or subcontractor employee, unless such individual has a need for such knowledge for the performance of the Services. Customer further agrees not to make use of Tsingke Confidential Information for its own benefit or for the benefit of any third parties other than as specifically required in the performance of these Terms and Conditions.
The above limits on disclosure do not include information which the receiving party can prove (A) is or becomes generally known through no fault by the receiving party; (B) is learned by it from a third party entitled to disclose the information; (C) is already known to it prior to receiving it from the disclosing party; or (D) is independently developed by it.
In the event of any breach of these confidentiality obligations, each party acknowledges that the disclosing party would be irreparably injured and shall be entitled to seek equitable relief, including injunctive relief and specific performance, in any court of competent jurisdiction. Such remedies shall not be deemed to be the exclusive remedies for a breach of the Agreement.
Upon expiration or termination of the Agreement for whatsoever reason, Tsingke Confidential Information shall be returned to Tsingke or shall be permanently destroyed. The terms of this Section 6 shall survive the expiration or termination of these Terms and Conditions.
9. REPRESENTATIONS AND WARRANTIES
Tsingke warrants that the Services will be performed in a professional and workmanlike manner and will be of a quality conforming to general standards of care and to Description of Services set forth in Section 10.
TSINGKE DOES NOT GUARANTEE THE AVAILABILITY OF THE SERVICES AT ALL TIMES OR THAT ACCESS WILL BE UNINTERRUPTED OR ERROR FREE. TSINGKE MAY INTERRUPT, LIMIT, SUSPEND OR TERMINATE THE SERVICES FROM TIME TO TIME FOR MAINTENANCE, UPGRADES OR ANY REASONABLE PURPOSE PROVIDED THAT WHEN PRACTICABLE TSINGKE WILL USE COMMERCIALLY REASONABLE EFFORTS TO NOTIFY CUSTOMER IN ADVANCE.
CUSTOMER’S EXCLUSIVE REMEDY AND TSINGKE’S ENTIRE LIABILITY FOR ANY BREACH OF THIS WARRANTY SHALL BE RE-PERFORMANCE OF THE NON-CONFORMING SERVICE.
TSINGKE MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Customer in its name and on behalf of its Administrators and Authorized Customer User(s) represents and warrants to Tsingke that: (A) it has the right to permit Tsingke and Service Providers to access its Customer Data for troubleshooting, repair and maintenance purposes; and perform any Services described herein (B) its Administrators and Authorized Customer Users will comply with all terms and conditions and policies for use of the Services (C) Customer owns or has provided or obtained the necessary disclosures, permissions and consents to use, and authorize the use of, the Customer Data as described herein under applicable law.
Customer shall and hereby agrees to defend, indemnify and hold Tsingke and its affiliates, Service Providers and licensors harmless from and against any and all claims, losses, damages, liabilities, obligations, judgments, causes of action, costs, charges and expenses (including without limitation, reasonable attorneys’ and consultants’ fees and such fees and penalties as any third party licensors may impose) arising out of or in connection with: (i) any civil, regulatory and/or criminal suit alleging that Tsingke and/or Service Providers had no right or authority to access the Customer Data; (iv) any Customer and/or Administrator or Authorized User negligence, recklessness or willful misconduct; or (iii) any violation of, or non-compliance with applicable laws.
10. DESCRIPTION OF SERVICES
All services described in this Section 10 hereinafter are subject to the assumption that the Customer has purchased or acquired gene synthesis and oligo synthesis service .Tsingke will provide Customer with one or more of the following Services depending on Customer’s agreed order:
Free reference design of genes;
Design of enzyme cutting site, optimization of codon, etc.
The synthetic gene can be cloned into the specified vector;
Signed gene synthesis service agreement and confidentiality contract;
Certificate of Analysis is available.
Fast full process technical support;
Highly customizable from production to delivery;
Signed oligo synthesis service agreement and confidentiality contract;
Disclaimer: Tsingke only on the basis of customer provide the sequence of Gene synthesis and Oligo synthesis service, and will be the result of Gene synthesis/Oligo synthesis product delivery to the customer, the customer is the true owner of product , the product all the consequences resulting from the use by Gene synthesis and Oligo synthesis, the responsibility is borne by the Gene synthesis and Oligo synthesis results of product user, and has nothing to do with company. Hereby declare!.
Connectivity to Internet: Access to and interaction with the Services requires connectivity to the Internet which is solely the responsibility of Customer. Customer will provide and maintain all hardware, software and network connectivity needed to access the
internet and the Services, and Customer will use best efforts to ensure that such hardware, software and network connectivity will at all times meet the minimum standards set forth in the Description of Services. IDT shall not be liable for any non-availability of Services due to insufficient hardware, software or network connectivity provided by Customer.
Peripheral Equipment: Devices required to access the Services (e.g. Smart Phones, Tablets, Laptops, and PC’s) and their access to the Internet are solely the responsibility of Customer.
Customer Administrator: Customer agrees to designate an individual(s) (“Administrator”) who shall be Customer’s agent to i) designate those Customer employees who can use the Services and access Customer’s Analysis Lab and Customer Data; ii) change Customer employee user roles; and iii) remove or deactivate Authorized Customer Users. Each Customer employee authorized to access the Services by the Administrator shall be an “Authorized Customer User.” The Administrator shall be responsible for the relationship between Tsingke and each Authorized Customer User.Only the Administrator may deactivate Authorized Customer Users and approve new Authorized Customer Users.Customer shall keep full and accurate records of all active, inactive or deactivated Authorized Customer Users. Customer is responsible for issuing, administering, updating and ensuring that proper security measures are in effect with respect to all emails and passwords used by Authorized Customer Users. Customer is solely responsible for monitoring, supervising and terminating, when appropriate, its Authorized Customer User access to Services. The use of email addresses and passwords constitutes acts of Customer, and Tsingke may rely upon the instructions, consent given and all action taken, without verifying the identity or authority of any person accessing Services by means of such email address and passwords. Although each Administrator and Authorized Customer User is personally responsible for its use of Services, and Customer Data, Customer is responsible for ensuring that its Administrator and each Authorized Customer User is aware of and complies with these Terms and Conditions.
11. INTELLECTUAL PROPERTY
Customer acknowledges that any and all intellectual property rights embodied in the Services, including without limitation any copyrights, patents or patent applications, trademarks and service marks shall vest in Tsingke. Customer shall refrain from taking out or applying for any kind of registration or protection of such intellectual property. Customer agrees that Tsingke owns all algorithms associated with the Services. The information contained in or otherwise associated with the design and operation of the Services are the proprietary and confidential information of Tsingke (and its licensors), and Tsingke (and its licensors) deems the information to be a trade secret. Customer are licensing the right to access and use the Services in accordance with the terms of these Terms and Conditions and are not acquiring any claim or right of ownership in the Services or any intellectual property associated with it. Customer will treat the information contained in the Services as the proprietary and confidential information of Tsingke and/or its licensors.
12. LIMITATION OF LIABILITY
12.1Subject to the provisions in Section 9, Tsingke’s liability for damages shall be limited as follows:
TSINGKE´s AGGREGATE LIABILITY IN RESPECT OF THE PROVISION OF THE SERVICES SHALL NOT EXCEED THE LOWER OF (a) AN AMOUNT OF USD 10,000 OR (b) AN AMOUNT EQUAL TO THE AMOUNT OF FEES PAYABLE TO TSINGKE BY CUSTOMER ON AN ANNUAL BASIS;IN NO EVENT SHALL TSINGKE, ITS AFFILIATES, SUPPLIERS, SERVICE PROVIDERS OR SUBCONTRACTORS BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, OR FOR CORRUPT OR UNAVAILABLE CUSTOMER DATA, OR COSTS OF PROCURING SUBSTITUTE GOODS OR SERVICES ARISING OUT OF OR IN CONNECTION WITH THESE TERMS AND CONDITIONS, AND INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT, WARRANTY, TORT OR STRICT LIABILITY, EVEN IF TSINGKE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
12.2Aforesaid limitation of liability shall not apply to (i) any damages caused by willful misconduct, (ii) damages to life or health, or (iii) where liability cannot be excluded under applicable statutory law.
12.3Customer shall take all reasonable measures to prevent data loss and other damages, including without limitation by way of back- up copies of Customer Data on a regular basis and security checks for viruses, malware and other disruptive programs within Customer's IT System. Customer is responsible for the use of the Services by any of Customer’s employees, by any person or entity to whom Customer has given access to the Services, or any person who gains access to Customer Data or the Services as a result of Customer’s failure to use reasonable security precautions, even if that use was not authorized by Customer.
12.4THE FOREGOING DISCLAIMERS AND LIMITATIONS SHALL SURVIVE TERMINATION OR EXPIRATION OF THESE TERMS AND CONDITIONS.
These Terms and Conditions shall be governed by laws of the People’s Republic of China., exclusive of its conflict of laws provisions. These Terms and Conditions shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods.
These Terms and Conditions contain the complete agreement between the parties with respect to the subject matter hereof, and supersede all prior or contemporaneous agreements or understandings, whether oral or written. If a court of competent jurisdiction holds any provision of these Terms and Conditions invalid or unenforceable for any reason, that provision will be enforced to the maximum extent permissible, and the remaining provisions of these Terms and Conditions will remain in full force and effect.The controlling language of these Terms and Conditions, and any proceedings relating to these Terms and Conditions, shall be English. The headings to the sections of these Terms and Conditions are used for convenience only and shall have no substantive meaning. All questions concerning these Terms and Conditions shall be e-mailed to:[dataprivacy.tsingke.com.cn].
Business Associate Agreement
This Business Associate Agreement (the “BAA”) is Schedule 1 to the Terms and Conditions for Tsingke Services (the “Agreement”) entered into as of the date Customer accepted the Terms and Conditions online for the services provided by Tsingke. To the extent applicable and only to the extent Customer is deemed a Covered Entity, this BAA is entered into by and between Beijing Tsingke Biology Co., Ltd. and its affiliates (“Business Associate”) and Customer (“Covered Entity”), which is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Any capitalized terms not defined below will have the same meaning as set forth in the Agreement between the Parties.
A.This BAA sets forth the terms and conditions that shall govern Covered Entity’s disclosure of Protected Health Information to Business Associate and its subsidiaries. This Agreement only applies to the extent Business Associate is deemed a business associate to Covered Entity under the Privacy Rule or the Security Rule.
B.Business Associate shall comply with the obligations imposed upon business associates under the Health Information Technology for Economic and Clinical Health Act, Division A of Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005 (the “HITECH Act”), and those obligations are incorporated by reference into this Agreement, with the understanding that compliance with those obligations is required under this Agreement only as of the date upon which compliance with any such obligation is required under the HITECH Act.
2.Definitions. Except as otherwise defined herein, any and all capitalized terms in this BAA shall have the definitions set forth in the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended from time to time (the “Privacy Rule”) and the Security Standards for Health Insurance Reform at 45 C.F.R. Parts 160, 162 and 164, as may be amended from time to time (the "Security Rule").
A.“Business Associate” generally has the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean Integrated DNA Technologies, Inc and its affiliates.
B.“Covered Entity” generally has the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean the party defined as “Covered Entity” in the caption set forth above.
3.Obligations and Activities of Business Associate
A.Business Associate agrees to (1) not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law, (2) use appropriate safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this BAA, and (3) to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware.
B.Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA.
C.Business Associate agrees to notify Covered Entity without unreasonable delay and in no case later than 60 calendar days after the discovery of any Breach of Protected Health Information. A Breach shall be treated as discovered by Business Associate as of the first day on which the Breach (i) is known to an employee, officer, or other agent of Business Associate, or (ii) by exercising reasonable diligence, would have been known to an employee, officer, or other agent of Business Associate. The notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during the Breach, as well as any other available information set forth in 45 C.F.R. § 164.404(c).
D.Business Associate agrees that it will not directly or indirectly receive remuneration in exchange for any Protected Health Information subject to this BAA, and will not engage in any communication with respect to Protected Health Information subject to this BAA which might be deemed to be “marketing” pursuant to the HITECH Act.
E.Business Associate agrees to ensure that any Service Providers of Business Associate to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
F.Business Associate agrees to document any disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528 and Section 13405(c) of the HITECH Act, as applicable.
G.With respect to Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity, Business Associate agrees that it will:
（1）Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information;
（2）Ensure that any Service Providers to whom it provides Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards to protect the information; and
（3）Report to the Covered Entity any Security Incident involving the information of which it becomes aware.
H.To the extent that Business Associate carries out Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
I.Business Associate will make its internal practices, books and records relating to its use and disclosure of Protected Health Information it creates or receives for or from Covered Entity available to the Secretary to determine compliance with the Privacy Rule, the Security Rule, and the HITECH Act.
4. Permitted Uses and Disclosures by Business Associate
A.Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information, in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in any agreements between Business Associate and Covered Entity under which Business Associate provides products or services to Covered Entity, provided that such use or disclosure would not violate the Privacy Rule, the Security Rule, or the HITECH Act if done byCovered Entity.
B.Business Associate will, in its performance of functions, activities, or services for, or on behalf of, Covered Entity, make reasonable efforts to use, to disclose and to request only the minimum amount of Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request (including, to the extent practicable, limiting such use, disclosure, or request to a Limited Data Set, in accordance with 45 C.F.R. § 164.514(e) and Section 13405(b) of the HITECH Act and all guidance issued by HHS), except that Business Associate will not be obligated to comply with this minimum necessary limitation with respect to the following, as appropriate and applicable.
（1）Disclosure to or request by a health care provider for treatment;
（2）Use with or disclosure to an Individual who is the subject of the Protected Health Information, or that Individual’s personal representative;
（3）Use or disclosure made pursuant to an authorization compliant with 45 C.F.R. § 164.508 that is signed by an Individual who is the subject of the Protected Health Information to be used or disclosed, or by that Individual’s personal representative;
（4）Disclosure to HHS in accordance with Section 3.H of this BAA;
（5）Use or disclosure that is Required by Law; or;
（6）Any other use or disclosure that is excepted from the minimum necessary limitation as specified in 45 C.F.R. § 164.502(b)(2).
C.Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
D.Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B).
E.Business Associate may use Protected Health Information to create de-identified information pursuant to the requirements set forth at 45 C.F.R. § 164.514(a)-(c).
F.Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
G.Business Associate may use or disclose Protected Health Information to make the disclosures for public health activities permitted of a person subject to the jurisdiction of the Food and Drug Administration described in 45 CFR §164.512(b)(1)(iii).
5.Obligations of Covered Entity
A.Covered Entity shall notify Business Associate in writing of any limitations in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that the limitations may affect Business Associate's use or disclosure of Protected Health Information.
B.Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Business Associate's use or disclosure of Protected Health Information.
C.Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522 or Section 13405(a) of the HITECH Act, to the extent that the restriction may affect Business Associate's use or disclosure of Protected Health Information.
D.Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule, the Security Rule, or the HITECH Act or any other applicable law if done by Covered Entity.
E.Covered Entity shall use its best efforts to minimize the disclosure of Protected Health Information to Business Associate where the disclosure of that information is not needed for Business Associate to provide products or services to Covered Entity.
6.Term and Termination
A.This BAA shall be effective as of the date set forth above and it shall continue in effect until terminated as provided in Paragraphs 6.B or 6.C.
B.This BAA shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
C.If Covered Entity has reason to believe that Business Associate has committed a material breach of this BAA, Covered Entity shall notify Business Associate of the claimed breach and provide Business Associate with an opportunity to explain why no breach has occurred or to cure the breach. If Business Associate does not explain why no breach has occurred or cure the alleged breach within thirty days after receiving Covered Entity’s notice, Covered Entity may immediately terminate this Agreement by written notice to Business Associate.
D.Unless it is not feasible to do so, upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of Service Providers or agents of Business Associate. If Business Associate determines that returning or destroying the Protected Health Information is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible and shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. The rights and obligations of Business Associate under this paragraph shall survive the termination of this BAA.
7.Notices. All notices, requests, demands, and other communications relating to this BAA which Covered Entity is required or desires to give to Business Associate shall be in writing, shall be sent by United States mail or commercial overnight delivery service, shall be directed to the “Office of General Counsel," and addressed to Business Associate at the address specified below. Notices sent by United States Mail shall be sent by first class mail, registered or certified, postage prepaid, and properly addressed and shall be deemed to have been given on the date actually received or the fifth day after mailing, whichever is earlier. Notices sent by commercial overnight delivery service shall be sent using a service which provides traceability of packages and shall be deemed given on the second business day after the date they are picked up by the delivery service. IDT 1710 Commercial Park Coralville, IA 52241
A.Regulatory References. A reference in this BAA to a section in the Privacy Rule, the Security Rule, or the HITECH Act means the section as in effect or as amended.
B.Amendment. Upon the effective date of any final regulation or amendment to final regulations promulgated by HHS with respect to Protected Health Information, the Privacy Rule, the Security Rule, or the HITECH Act, this BAA will automatically amend the obligations of Business Associate and Covered Entity to the extent necessary to remain in compliance with such regulations.