COGITATE BUSINESS ASSOCIATE AGREEMENT
Last Revised: April 19, 2012
The terms “Cogitate” and “Our” refer to Cogitate Inc., a Michigan corporation, and its subsidiaries and affiliates. The terms “You” or “Your” refer to an individual or entity that has registered for an Account at 9gbackup.com. This Cogitate Agreement (“Agreement”) is made and entered into by and between You and Cogitate and is effective either as of the date (1) You registered for an Account at 9gbackup.com and indicated that You are subject to the requirements set forth in HIPAA, as defined below; or (2) provided a written notification, consistent with the terms hereof, to Cogitate explicitly sating that You are subject to HIPAA (each individually, as a “Party” and, collectively, as the “Parties”).
RECITALS
1. The Parties desire to ensure that their respective rights and responsibilities under the Underlying Agreements, as defined below, reflect applicable federal statutory and regulatory requirements relating to the protection of confidentiality and security of PHI, as defined below, in accordance with federal and state laws, to the extent that state laws are more restrictive, and corresponding regulations including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and any regulations promulgated there under, including but not limited to the Privacy Rule and the Security Rule, as such laws and regulations may be amended from time to time (collectively, the “Privacy Acts”).
2. Cogitate provides data backup services ( “Services”) and You are using Our Services to store and house PHI (“System”) pursuant the Underlying Agreements.
3. The Privacy Acts require that organizations obtain satisfactory assurances in the form of a written contract that Cogitate, or their subcontractors, who create, maintain, transmit and receive PHI will appropriately safeguard the PHI.
NOW, THEREFORE, in consideration of the mutual promises below and other good and valuable consideration, the sufficiency of which is hereby acknowledged, the Parties agree as follows:
1. DEFINITIONS
Terms used in this Agreement that are specifically defined in the Privacy Acts shall have the same meaning as set forth in the Privacy Acts. A change to the Privacy Acts which modifies any defined term, or which alters the regulatory citation for the definition shall be deemed incorporated into this Agreement.
1.1. “Breach” shall have the meaning as given to that term in § 13400(1) of the HITECH Act and 45 CFR § 164.402, and shall generally include the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
1.2. “Compliance Date” means the dates(s) established by the Secretary or the United States Congress as the effective date(s) of applicability and enforceability of the Privacy Acts.
1.3. “Electronic Protected Health Information” and/or “EPHI” shall have the same meaning as given to that term in 45 CFR § 160.103, and shall include any EPHI provided by You.
1.4. “HITECH Act Standards” means the privacy, security and security breach notification provisions applicable to Cogitate under the HITECH Act, and any regulations promulgated thereunder.
1.5. “Protected Health Information” and/or “PHI” shall have the same meaning as given to that term in 45 CFR § 160.103, limited to the PHI provided by You. Unless otherwise stated in this Agreement, any provision, restriction, or obligation in this Agreement related to the use of PHI shall apply equally to EPHI and PHI.
1.6. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 164, Subparts A and E, as from time to time amended.
1.7. “Required By Law” shall have the same meaning as given to that term in 45 CFR § 164.103, and any additional requirements created under the HITECH Act.
1.8. “Secretary” means the Secretary of the Department of Health and Human Services or his/her designee.
1.9. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system as provided in 45 CFR § 164.304.
1.10. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information and other HIPAA Security Regulations at 45 CFR Parts 160, 162 and 164, Subparts C, as from time to time amended.
1.11. “Underlying Agreements” shall include the 9G BACKUP™ Account Registration Form, the 9G BACKUP™ Data Storage Software End User License Agreement, 9G BACKUP™ Website Terms of Use, and the Cogitate Privacy Statement, as each may be amended from time to time.
1.12. “Unsecured PHI” shall have the same meaning as “unsecured protected health information” in § 13402(h) of the HITECH Act and 45 CFR § 164.402.
2. COGITATE’S OBLIGATIONS
2.1. Cogitate shall not use or disclose PHI other than as permitted or required by this Agreement, the provisions of the Underlying Agreements but only so long as any such use or disclosure is consistent with this Agreement, or as Required By Law.
2.2. Cogitate shall use appropriate safeguards, including without limitation administrative, physical, and technical safeguards, to prevent any use or disclosure of PHI other than as provided by this Agreement, and to reasonably and appropriately protect the confidentiality, integrity, and availability of PHI that Cogitate receives or maintains, or transmits, on Your behalf to the same extent as if Cogitate were a You.
2.3. Cogitate shall mitigate, to the extent practicable, any harmful effect that is known to Cogitate of a use or disclosure of PHI by Cogitate, its agents or subcontractors, if any, in violation of the requirements of this Agreement.
2.4. Cogitate shall notify You in writing of any use or disclosure of PHI that is not authorized by this Agreement within five (5) business days after becoming aware of such use or disclosure.
2.5. Cogitate shall notify You in writing of any Breach involving Unsecured PHI within five (5) business days of becoming aware of such Breach. All reports of Breaches of Unsecured PHI shall be made in compliance with HITECH Act § 13402 and the regulations issued thereunder. A Breach will be treated as discovered as of the first day that such Breach is known or reasonably should have been known by Cogitate. Cogitate shall notify You within seventy-two (72) hours of any suspected or actual Security Incident or breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of the Privacy Acts. Cogitate shall take (i) prompt action to correct any such deficiencies; and (ii) any action pertaining to such unauthorized disclosure required by the Privacy Acts. NOTHING IN THE FOREGOING SHALL SERVE TO OBLIGATE COGITATE, IN ANY MANNER WHATSOEVER, TO VIEW, TRACK, MONITOR, AUDIT, MANAGE OR PERFORM ANY SUCH SIMILAR TASKS TO THE DATA YOU STORE ON OUR SYSTEM.
2.6. Cogitate shall secure all PHI stored on the System (“PHI Security”) by technology standards, including the use of standards developed under the HITECH Act, that are developed and endorsed by a standards developing organization that is accredited by the National Institute of Standards and Technology and is consistent with guidance issued by the Secretary specifying the technologies and methodologies, that render PHI unusable, unreadable, or indecipherable to unauthorized individuals pursuant to the HITECH Act § 13402(h)(1)(A).
2.7. Cogitate shall ensure that any agent, including a subcontractor, to whom it provides PHI agrees in writing to the same restrictions and conditions, including but not limited to those relating to termination of the contract for improper disclosure, that apply to Cogitate with respect to such information. Further, Cogitate shall implement and maintain sanctions against agents and subcontractors, if any, that violate such restrictions and conditions. Cogitate shall terminate any agreement with an agent or subcontractor, if any, who fails to abide by such restrictions and obligations on an ongoing basis.
2.8. Except as necessary to carry out its legal responsibilities, Cogitate may not use the PHI You store on Our System for any purposes.
2.9. Cogitate acknowledges that Cogitate has no ownership rights in the PHI.
2.10. Cogitate hereby acknowledges and agrees that it will comply with the applicable provisions under the HITECH Act Standards and with the obligations of a business associate as prescribed by HIPAA commencing on the Compliance Date of each such provision.
3. YOUR OBLIGATIONS
3.1. You shall not request Cogitate to use or disclose PHI in any manner that would not be permissible under the Privacy Acts if done by You.
3.2. You shall not take any action that would subvert, undermine, disable or cause such similar effect, which would in any manner whatsoever undermine the PHI Security set forth in Section 2.6. Any violation of this Section 3.2 shall be a material breach of the 9G BACKUP™ Data Storage Software End User License Agreement.
4. PARTIES ACKNOWLEDGEMENTS.
4.1. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT, THE PARTIES HEREBY AGREE AND ACKNOWLEDGE THAT YOU DO NOT PROVIDE ACCESS TO AND COGITATE DOES NOT HAVE ACCESS TO PHI BECAUSE THE SERVICES PROVIDED BY COGITATE TO YOU ARE NOT OF THE TYPE WHERE COGITATE ACCESSES OR USES PHI.
4.2. Notwithstanding Section 4.1, Cogitate shall make its internal practices, books and records relating to the Services provided to You by Cogitate available to the Secretary for the purposes of determining Your compliance with the Privacy Acts.
5. TERM AND TERMINATION
5.1. Term. The term of this Agreement shall be effective as of the date (1) You registered for an Account at 9gbackup.com and indicated that You are subject to the requirements set forth in HIPAA; or (2) provided a written notification, consistent with the terms hereof, to Cogitate explicitly stating that You are subject to HIPAA and shall terminate when all of the PHI is destroyed
5.2. Termination for Cause. If either Party (the “Non-Breaching Party”) knows of (a) a pattern of activity or practice by the other Party (the “Breaching Party”) that constitutes a material breach or violation of the Breaching Party’s obligations under this Agreement or (b) there is a material breach of this Agreement, the Non-Breaching Party will take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful within a period of 15 days, notwithstanding anything contrary in the Underlying Agreements, the Non-Breaching Party will either: (i) terminate the Agreement and the Underlying Agreement, if feasible; or (ii) report the problem to the Secretary consistent with 45 CFR § 164.502(j)(1) and any regulations under ARRA. To the extent there is any conflict between this Section 5.2 and the Underlying Agreements, this Section 5.2 shall prevail.
5.3. Effect of Termination. Upon termination of this Agreement or the Underlying Agreements for any reason, Cogitate shall destroy all PHI that Cogitate or its agents or subcontractors, if any, maintain in any form, and shall retain no copies of such PHI. If You desire to retain the PHI stored on the System, you shall take the necessary steps to save the PHI prior to the termination date.
5.4. Termination of Underlying Agreements. If the Underlying Agreements are terminated for any reason, this Agreement shall also terminate.
6. INDEMNIFICATION, LIABILITY AND DAMAGES. Each party (the “Indemnifying Party”) agrees to indemnify, defend and hold harmless the other party (the “Indemnified Party”), its parent, affiliates, subsidiaries, divisions, licensees, successors and assigns, and the officers, directors, employees and agents thereto, from and against any and all claims, losses, liabilities, costs, attorneys’ fees, and other expenses incurred as a result of or arising directly or indirectly out of or in connection with Indemnifying Party’s or its subcontractors’ or agents’ breach of this Agreement, violation of the Privacy Acts or other applicable law, or otherwise related to the acts or omissions of the Indemnifying Party or its subcontractors or agents; provided however, that Cogitate shall not have any duty or obligation whatsoever to indemnify, hold harmless or defend You or any third party to which it provides services, if such claims, losses, liabilities, costs, attorneys' fees, and other expenses were incurred or arose out of Your violation of Section 3.2 hereof. Notwithstanding anything to the contrary contained herein, neither the Indemnifying Party nor the Indemnified Party shall be liable to the other for consequential, incidental, punitive, special, exemplary or indirect damages, or lost profits in connection with claims made by any party, regardless of the form of action, whether in contract or tort. Each party’s maximum aggregate liability to the other party or any third party for any damages or other liabilities, whether based on warranty, contract, negligence, or otherwise, shall not exceed the sum of all fees paid by You to Cogitate during the term of this Agreement; provided however, that the foregoing shall not limit Your liability to Cogitate with respect to any damages or other liabilities that incurred or arose out of Your violation of Section 3.2 hereof.
7. MISCELLANEOUS
7.1. Regulatory References. A reference in this Agreement to a section of the Privacy Acts, or the regulations issued there under, means the section or regulation as in effect or as amended, and for which compliance is required.
7.2. No Third Party Beneficiary. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties or their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
7.3. No Joint Venture. The Parties are independent contractors and nothing in this Agreement shall be deemed to make them partners or parties to a joint venture.
7.4. Survival. The rights and obligations contained in Section 6 shall survive the termination of this Agreement.
7.5. Amendments. This Agreement may be amended or supplemented only by a writing that refers explicitly to this Agreement and that is signed on behalf of both Parties.
7.6. Notices. All notices which are required or permitted to be given pursuant to this Agreement shall be in writing and shall be sufficient in all respects if delivered to Cogitate personally, by registered or certified mail, postage prepaid, addressed to a party as indicated below, or to Cogitate or You if delivered by electronic mail (the “E-Mail Notice”) and shall be deemed received as of the date such e-mail is sent; provided, however, if the sender of the E-Mail Notice receives an e-mail undeliverable notice within twenty-four (24) hours of sending the E-Mail Notice, then such E-Mail Notice shall not be deemed received, via e-mail or otherwise.
If to Cogitate:
Cogitate, Inc.
Attn: Legal Department
P. O. Box 980685
Ypsilanti, Michigan 48198
president@cogitateinc.com
If to You, to:
To the E-mail address(es) listed in
the customer account settings.
Notice shall be deemed to have been given upon transmittal thereof as to communications which are personally delivered and, as to communications made by United States mail, on the date of receipt. Cogitate may change the above address by giving notice of such change in the manner provided above for giving notice.
7.7. Severability. If any provision of this Agreement is determined by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions hereof shall continue in full force and effect.
7.8. Complete Integration; Modification of Underlying Agreements. This Agreement contains the entire understanding between the Parties hereto and shall supersede any other oral or written agreements, discussions and understandings of every kind and nature, including any provision to the contrary in any Underlying Agreement. No modification, addition to or waiver of any right, obligation or default shall be effective unless in writing and signed by the party against whom the same is sought to be enforced. No delay or failure of either party to exercise any right or remedy available hereunder, at law or in equity, shall act as a waiver of such right or remedy, and any waiver shall not waive any subsequent right, obligation, or default.
7.9. Governing Law. This Agreement shall be governed and construed in accordance with the laws of the State of Michigan. Jurisdiction of any litigation with respect to this Agreement shall be in Michigan and shall comply with Section 13 of the 9G BACKUP™ Data Storage Software End User License Agreement (Governing Law and Arbitration).
7.10. Effective Date. Provisions in this Agreement that are prospectively required by the HITECH Act shall have an effective date as of the effective date in the HITECH Act.