1. Effective Date and Electronic Acceptance
Effective Date. The Effective Date of this Agreement shall be the date on which Customer accepts this Agreement by clicking "I Agree," checking a box indicating acceptance, or otherwise manifesting assent through the S7 Lab platform during account registration.
Electronic Acceptance. Customer acknowledges and agrees that clicking "I Agree" or checking a box indicating acceptance of this Agreement constitutes Customer's electronic signature and creates a legally binding agreement between the Parties. This electronic acceptance has the same legal effect as a handwritten signature pursuant to the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001 et seq., and applicable state laws governing electronic transactions.
Record of Acceptance. Business Associate will maintain a record of Customer's acceptance of this Agreement, including the date and time of acceptance, the IP address from which acceptance was made, and the version of the Agreement accepted. Customer may request a copy of this acceptance record at any time by contacting legal@s7-lab.health.
2. Background
Customer intends to use S7 Lab's services (the "Services"). In the scope of providing the Services, S7 Lab will receive, maintain, or transmit PHI on behalf of Customer. The Parties have entered into this BAA to comply with all Federal and state laws regarding privacy and confidentiality of health information, including HIPAA and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
3. Business Associate Obligations
Business Associate agrees to:
Not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law;
Use appropriate safeguards regarding electronic PHI ("e-PHI") to prevent use or disclosure of PHI other than as provided for by this Agreement;
Report to Customer any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information and any Security Incident of which it becomes aware;
Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement;
Make available PHI in a Designated Record Set to Customer as necessary to satisfy Customer's obligations under 45 C.F.R. § 164.524;
Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Customer pursuant to 45 C.F.R. § 164.526;
Maintain and make available the information required to provide an accounting of disclosures to Customer pursuant to 45 C.F.R. § 164.528;
Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services or Customer for purposes of determining compliance with the HIPAA Rules;
Safeguards. Use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement, including the following:
Access Controls: Role-based access controls with unique user identification, automatic logoff, and encryption of PHI at rest and in transit using industry-standard encryption (minimum AES-256 for data at rest, TLS 1.2 or higher for data in transit);
Audit Controls: Comprehensive logging and monitoring of all PHI access and modifications with automated alerts for suspicious activities;
Data Integrity: Implementation of checksums, digital signatures, or other mechanisms to ensure PHI has not been improperly altered or destroyed; and
Transmission Security: Secure transmission protocols and end-to-end encryption for all PHI communications.
4. Permitted Uses and Disclosures by Business Associate
Business Associate may only use or disclose PHI as required and within the scope of the Services contemplated by this Agreement, including developing, training, testing, validating, and improving algorithms, decision-support tools, and related machine-learning models that are designed to provide or enhance the Services to Customer.
Business Associate may use or disclose PHI as Required By Law.
De-Identification of PHI. Business Associate may de-identify PHI received from or created on behalf of Customer in accordance with the de-identification standards set forth in 45 C.F.R. § 164.514(b). Business Associate shall maintain documentation of de-identification processes sufficient to demonstrate compliance. PHI that has been de-identified in compliance with the HIPAA De-Identification Standard shall no longer be considered PHI under this BAA or HIPAA and may be used by Business Associate without limitation, provided that such data remains de-identified. Business Associate may combine such de-identified data with other lawfully obtained data and use the combined data for any lawful purpose.
De-identification Safeguards. Business Associate shall implement and maintain reasonable administrative, technical, and physical safeguards designed to prevent re-identification. Business Associate shall not attempt to re-identify, or permit any third party to re-identify, individuals from such de-identified data without the prior written authorization of Customer or as otherwise Required By Law. Any such unauthorized attempt or successful re-identification shall constitute a material breach of this BAA. Both Parties acknowledge that inadvertent re-identification due to actions of third parties beyond Business Associate's reasonable control will not constitute a breach of this Agreement.
Confidentiality of De-identification Methods. Any documentation Business Associate provides about its de-identification methods is confidential and may be used by Customer only to verify HIPAA compliance. Customer will not share, copy, or use such information for any other purpose.
Business Associate may provide data aggregation services relating to the health care operations of Customer.
Access to PHI by Individuals. Upon request, Business Associate agrees to furnish Customer with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Customer. In the event any Individual or personal representative requests access to the Individual's PHI directly from Business Associate, Business Associate will, within ten (10) business days, forward that request to Customer.
5. Customer Representations, Warranties, and Responsibilities
BY ACCEPTING THIS AGREEMENT, CUSTOMER REPRESENTS, WARRANTS, AND COVENANTS THAT:
Authority to Bind. The individual accepting this Agreement on behalf of Customer has full legal authority to bind Customer to the terms of this Agreement. Customer acknowledges that unauthorized acceptance of this Agreement may result in personal liability for the individual who accepted it.
HIPAA Status. Customer is either: (i) a "Covered Entity" as defined under HIPAA; or (ii) a "Business Associate" as defined under HIPAA that is authorized under its own business associate agreement(s) with its Covered Entity client(s) to engage subcontractors to create, receive, maintain, or transmit PHI.
Lawful Basis for Disclosure. Customer has obtained, and will maintain throughout the term of this Agreement, all necessary authorizations, consents, and other legal bases required under HIPAA, state law, and any other applicable law to disclose PHI to Business Associate for the purposes described in this Agreement. Customer will not provide PHI to Business Associate unless Customer has a lawful basis under HIPAA to do so.
Accuracy of Information. All information provided by Customer during account registration, including organization name, organization type, and contact information, is accurate, current, and complete. Customer will promptly update such information if it changes.
Notice of Restrictions. Customer shall notify Business Associate in writing of any limitation(s) in its notice of privacy practices, any changes in or revocation of permission by an Individual to use or disclose PHI, and any restriction to the use or disclosure of PHI that Customer has agreed to, in each case to the extent that such limitation, change, revocation, or restriction may affect Business Associate's use or disclosure of PHI.
42 C.F.R. Part 2 Records. Customer represents and warrants that it will not provide to Business Associate any records subject to 42 C.F.R. Part 2 (substance use disorder patient records) unless Customer has obtained all consents and legal authority required under 42 C.F.R. Part 2 to permit Business Associate to receive, use, de-identify (if applicable), and otherwise process such records as contemplated by this Agreement. Customer acknowledges that 42 C.F.R. Part 2 records are subject to additional federal protections beyond HIPAA and that Customer bears sole responsibility for ensuring compliance with 42 C.F.R. Part 2 prior to disclosing such records to Business Associate.
Permissible Requests. Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (except for data aggregation or the management and administrative activities of Business Associate as expressly permitted under this Agreement).
Downstream Compliance. If Customer is a Business Associate engaging S7 Lab as a subcontractor, Customer represents and warrants that: (i) Customer's business associate agreement(s) with its Covered Entity client(s) permit Customer to engage subcontractors; (ii) Customer has complied with all notice or approval requirements (if any) under such agreement(s) related to engaging subcontractors; and (iii) Customer will flow down to Business Associate only those obligations that are consistent with this Agreement.
Compliance Responsibility. Customer acknowledges and agrees that Customer is solely responsible for ensuring its own compliance with HIPAA, including but not limited to: (i) implementing appropriate administrative, physical, and technical safeguards within Customer's own systems; (ii) training Customer's workforce on HIPAA requirements; (iii) maintaining required documentation; and (iv) responding to Individual requests for access, amendment, and accounting of disclosures. Business Associate's obligations under this Agreement do not relieve Customer of Customer's independent compliance obligations under HIPAA.
6. Indemnification
Indemnification by Customer. Customer shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and costs of litigation or settlement) arising out of or relating to: (i) Customer's breach of any representation, warranty, or covenant in this Agreement; (ii) Customer's violation of HIPAA, 42 C.F.R. Part 2, or any other applicable law; (iii) Customer's disclosure of PHI to Business Associate without proper authorization or legal basis; (iv) any claim by an Individual or third party arising from Customer's acts or omissions; or (v) Customer's negligence or willful misconduct.
Indemnification by Business Associate. Business Associate shall indemnify, defend, and hold harmless Customer from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and costs of litigation or settlement) arising out of or relating to: (i) Business Associate's breach of this Agreement; (ii) Business Associate's violation of HIPAA in the performance of its obligations under this Agreement; or (iii) Business Associate's negligence or willful misconduct.
Indemnification Procedures. The indemnified Party shall: (i) promptly notify the indemnifying Party in writing of any claim for which indemnification is sought; (ii) give the indemnifying Party sole control of the defense and settlement of such claim (provided that the indemnifying Party shall not settle any claim in a manner that adversely affects the indemnified Party without the indemnified Party's prior written consent); and (iii) provide reasonable cooperation to the indemnifying Party at the indemnifying Party's expense.
7. Term and Termination
Term. This Agreement shall be effective as of the Effective Date and shall continue until terminated by either Party or until Customer's account with Business Associate is terminated, whichever occurs first.
Termination for Cause by Customer. Customer may terminate this Agreement immediately upon written notice to Business Associate if Business Associate materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice of the breach from Customer.
Termination for Cause by Business Associate. Business Associate may terminate this Agreement immediately upon written notice to Customer if Customer materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice of the breach from Business Associate. Business Associate may report any material breach by Customer to the U.S. Department of Health and Human Services.
Termination for Convenience. Either Party may terminate this Agreement for any reason upon thirty (30) days' prior written notice to the other Party.
Obligations Upon Termination. Upon termination of this Agreement for any reason, Business Associate shall, at the direction of Customer: (i) return all PHI to Customer; or (ii) destroy all PHI and retain no copies thereof, if return is not feasible. If return or destruction of the PHI is not feasible in Business Associate's reasonable judgment, Business Associate shall notify Customer in writing of the conditions that make return or destruction infeasible, and upon mutual agreement of the Parties, Business Associate shall extend the protections of this Agreement to such PHI for as long as Business Associate retains it and shall limit further uses and disclosures to those purposes that make return or destruction infeasible. The obligations of Business Associate under this Section shall apply to PHI in the possession of Business Associate's subcontractors.
De-identified Data. For clarity, de-identified data created and retained by Business Associate in accordance with Section 4(c) of this Agreement shall not be deemed PHI and is not subject to return or destruction obligations.
Survival. The provisions of Sections 3, 4, 5, 6, 7(e), 7(f), 8, and 9 shall survive the termination or expiration of this Agreement.
8. Limitation of Liability
EXCEPT FOR A PARTY'S INDEMNIFICATION OBLIGATIONS UNDER SECTION 6, BREACHES OF CONFIDENTIALITY OBLIGATIONS, OR A PARTY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, OR GOODWILL, ARISING OUT OF OR RELATED TO THIS AGREEMENT, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR WHETHER EITHER PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
NOTHING IN THIS SECTION SHALL LIMIT EITHER PARTY'S LIABILITY FOR: (I) DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE; (II) FRAUD OR FRAUDULENT MISREPRESENTATION; OR (III) ANY OTHER LIABILITY THAT CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW.
9. General Provisions
Notices. All notices or other communications required or permitted under this Agreement shall be in writing and shall be sent by email. Notices to Business Associate shall be sent to: legal@s7-lab.health. Notices to Customer shall be sent to the email address associated with Customer's account. Either Party may change its notice address by providing written notice to the other Party.
Governing Law. This Agreement shall be governed by and construed under the laws of the State of Delaware, without regard to its conflict of laws principles.
Dispute Resolution. Any dispute arising out of or relating to this Agreement shall be resolved in the state or federal courts located in Delaware, and each Party hereby consents to the exclusive jurisdiction and venue of such courts.
Entire Agreement. This Agreement constitutes the entire understanding between the Parties concerning the subject matter hereof and supersedes all prior negotiations, representations, warranties, and agreements between the Parties with respect to such subject matter.
Amendment. Business Associate may amend this Agreement at any time by posting a revised version on its website and providing notice to Customer via email. Customer's continued use of the Services after such notice constitutes acceptance of the amended Agreement. Notwithstanding the foregoing, any amendment that materially and adversely affects Customer's rights under this Agreement shall not be effective until thirty (30) days after notice is provided, during which time Customer may terminate this Agreement without penalty.
Severability. If any provision of this Agreement is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.
Waiver. The waiver by either Party of any right under this Agreement shall not constitute a continuing waiver or a waiver of any other right under this Agreement.
Interpretation. This Agreement shall be interpreted in a manner consistent with the HIPAA Rules. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules.
Regulatory References. Any reference in this Agreement to a section of the HIPAA Rules shall mean the section as in effect or as amended from time to time.
Independent Contractors. The Parties are independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or employment relationship between the Parties.
Assignment. Customer may not assign this Agreement without Business Associate's prior written consent. Business Associate may assign this Agreement to any successor in interest or acquirer of all or substantially all of Business Associate's assets or business.
ELECTRONIC ACCEPTANCE
By clicking "I Agree," checking the box indicating acceptance of this Business Associate Agreement, or otherwise manifesting assent through the S7 Lab platform, Customer acknowledges that Customer has read, understood, and agrees to be bound by all terms and conditions of this Agreement.
Customer further acknowledges and confirms that:
• The individual accepting this Agreement is authorized to bind Customer to this Agreement;
• Customer is a HIPAA Covered Entity or Business Associate;
• Customer will only disclose PHI to S7 Lab for which Customer has obtained proper authorization or has a lawful basis under HIPAA; and
• Customer has read and understood Customer's obligations and responsibilities under this Agreement.
S7 Lab, Inc.
251 Little Falls Drive
Wilmington, DE, 19808
Email: legal@s7-lab.health