MASTER DATA SOLUTIONS AGREEMENT
Version 10.2024
This Master Data Solutions Agreement ("Agreement") is by and between tevixMD Corporation, a Delaware corporation ("tevixMD”) and the Subscriber identified on the Service Addendum and Order (“SAO”) form referencing this Agreement (the “Subscriber”). tevixMD and Subscriber are referred to herein individually as a “Party” and collectively as the “Parties.”
This Agreement consists of: (i) the General Terms set forth in this document, (ii) the terms of any signed Service Addenda and Order Form (SAO) executed by the Subscriber, (iii) the Business Associate Addendum between the Parties, (iv) any other exhibits, supplements and addenda referenced in and attached to this Agreement and, (iv) the Documentation as defined herein. In the event of any conflict between the terms in the documents described in (i) through (iv) above, such conflict shall be resolved in the hierarchy of the order of the documents listed in (i) through (iv) above, unless such document expressly recites that the conflicting term prevails.
GENERAL TERMS
1. Recitals.
tevixMD is in the business of providing patient identification, health care plan eligibility and payment management data services to various health care providers and other entities in the healthcare industry. Subscriber participates in the health care industry and desires to utilize tevixMD’s services for the permitted uses described herein. tevixMD is not a "consumer reporting agency," as such term is defined in the Federal Fair Credit Reporting Act (15 USC § 1681 et seq.) including, without limitation, all amendments thereto and equivalent state laws (collectively, the "FCRA”), and its information services and products do not constitute "consumer reports," as such term is defined in the FCRA.
2. Definitions.
As used in this Agreement, the following terms shall have the particular meanings as defined below.
2.1. “Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device, used alone or in combination, to verify an individual's identity and authorization to access and use the tevixMD Services.
2.2. “Administrative Data” means the non-content aspects of the data and information related to Subscriber’s use of the tevixMD Services, such as log-in times and log-in duration. tevixMD will use Administrative Data in an aggregate and anonymized manner for internal statistical compilations and performance monitoring solely for internal use related to product development and enhancement of the Services.
2.3. "Affiliate” means any entity that directly or indirectly controls, or is controlled by, or is under common control with, a Party. For the purposes of this definition, "control" means: (a) in the case of corporate entities, direct or indirect ownership of fifty percent (50%) or more of the stock or shares entitled to vote for the election of the board of directors or other governing body of the entity, and (b) in the case of non-corporate entities, direct or indirect ownership of fifty percent (50%) or more of the equity interest.
2.4. "Applicable Laws" means any and all applicable federal, state, or local law, rule or regulation, regulatory directive, or binding administrative or court decision.
2.5. "Approved Access Method(s)" means the approved means by which Subscriber may access and obtain the tevixMD Data, as mutually agreed upon by the Parties, which includes, but is not limited to, access by application programing interface ("API") to tevixMD's system in accordance with tevixMD’s API technical specifications documentation, as initially provided, and as may be updated from time to time, by tevixMD upon prior notice to Subscriber.
2.6. "Authorized Users" means Subscriber's employees, consultants, contractors, and agents who are authorized by Subscriber to access and use the tevixMD Services pursuant to the rights granted to Subscriber under this Agreement.
2.7. “Credentialing" means credentialing, background checking, and vetting of Subscriber and its business history to confirm the Subscriber’s eligibility for receipt of, and intended uses of, the tevixMD Data obtained under this Agreement.
2.8. “Documentation” means all manuals, instructions, policies or other documents or materials that tevixMD makes available to Subscriber in any form or medium and which describe the functionality, components, features, or requirements of the tevixMD Services.
2.9. "DPPA" means the federal Driver's Privacy Protection Act, 18 U.S. Code§ 2721 et seq., and various, similar state statutes.
2.10. “FCRA” means the Federal Fair Credit Reporting Act (15 USC § 1681 et seq.) including, without limitation, all amendments thereto and equivalent state laws and its information services and products do not constitute "consumer reports," as such term is defined in the FCRA.
2.11. "FCRA Purpose(s)" means use for any FCRA purposes including, but not limited to, use as a factor in determining eligibility for credit, insurance, or employment or for any other "permissible purpose," as defined in and contemplated by the FCRA, or use for purposes of (or in connection with) taking any "adverse action," as defined in the FCRA.
2.12. "GLBA" means a permitted use set forth in 15 U.S. Code§ 6802 of the Gramm-Leach-Bliley Act (Public Law No. 106-102, enacted in 1999), as amended from time to time, including, but not limited to, the United States Federal Trade Commission rules promulgated thereunder, as may be interpreted from time to time, by competent legislative, regulatory or judicial authority.
2.13. “Healthcare Industry” means any preventive, remedial, and/or therapeutic services provided by institutions, such as hospitals and urgent care facilities, doctors, dentists, medical administrators, government agencies, voluntary agencies, non-institutional care facilities, pharmaceutical, medical laboratories, and medical equipment manufacturers.
2.14. “Intellectual Property Rights" means any and all copyrights, patents, trademarks, trade secrets, and any other intellectual property rights recognized under applicable law associated with or relating to proprietary data, software products, databases, tools, platforms, materials, technologies, formulae, algorithms, methodologies, processes, and methodologies, designs, ideas, concepts, research, discoveries, work product, materials, inventions and invention disclosures (whether or not patentable or reduced to practice), know-how and any all extensions, modifications and enhancements thereto, and derivative works thereof.
2.15. “Marks” means a Party’s party’s trademarks, trade names, service marks, logos or other marks or symbols whether or not registered by any government agency.
2.16. “Monitoring" means the monitoring performed by tevixMD of Subscriber on an ongoing basis, as further specified in this Agreement, to confirm and ensure that the Subscriber continues to meet the requirements of this Agreement.
2.17. “Order” means the Service Addendum and Order Form (“SAO”) and the type, quantity and pricing of the tevixMD Services subscribed by Subscriber under this Agreement.
2.18. "Permitted Uses" means uses of the tevixMD Services by a Subscriber and its Authorized Persons to confirm the identify and health plan eligibility of Subscriber’s own patients for health care payment purposes, subject in all events to the terms of this Agreement, the Documentation and Applicable Law.
2.19. “SaaS Solution” means tevixMD’s proprietary, web-based patient identification, health plan eligibility and payment management software and associated mobile applications.
2.20. “Site Inspection” means the physical inspection of the Subscriber’s location(s) as provided in Appendix C of the SAO referencing this Agreement.
2.21. “Subscriber Data" means information, data, and other content, in any form or medium that is collected, downloaded, or otherwise received, directly or indirectly, from Subscriber or an Authorized User by or through a tevixMD Service. For the avoidance of doubt, Subscriber Data does not include Administrative Data or any other information reflecting the access or use of the Services by or on behalf of Subscriber or any Authorized User.
2.22. “Support Services” means the SaaS Solution support services provided by tevixMD to Subscriber under Appendix B to this Agreement.
2.23. “Territory” means the United States of America.
2.24. “tevixMD Data” means the data and derivatives thereof provided by tevixMD to Subscriber as part of a Transaction through a tevixMD Service under this Agreement.
2.25. “tevixMD Service(s)” means the act of providing, furnishing, or making available the tevixMD Data to Subscriber via an Approved Access Method under one or more of the tevixMD products selected by Subscriber. tevixMD Services includes the SaaS Solution, the Support Services, and such additional service offerings purchased or subscribed by Subscriber from tevixMD under this Agreement and any Order. The term tevixMD Services is separate from the actual tevixMD Data provided, furnished or made available to Subscriber under this Agreement.
2.26. “Transaction” means any inquiry initiated by Subscriber via input of Subscriber Data to a tevixMD Service under this Agreement.
3. Ordering.
3.1. Orders. These General Terms govern the subscription, access to and use of the tevixMD Services, which TevixMD agrees to provide per the provisions herein and in applicable Orders. Subscriber’s use of a tevixMD Service is made only via an Order signed by the Parties, which Order is subject to credit approval, Credentialing and acceptance by tevixMD. Orders may expire or terminate according to their terms without termination of this Agreement. tevixMD shall not be liable for any damages arising out of tevixMD's failure or delay in fulfilling any Order.
3.2. Effectiveness of Orders. Orders shall become effective, if at all, only after tevixMD has completed Credentialing and performed a Site Inspection acceptable to tevixMD.
4. tevixMD SaaS Licensing.
Subject to the provisions set forth in this Agreement, tevixMD grants Subscriber a non-exclusive, time-limited, non-assignable right and license (“License”) to access and use the SaaS Solution, the tevixMD Services and their related Documentation for use by Authorized Users solely for Permitted Uses within the Territory during the Term. The License is limited to use of the tevixMD Services by Authorized Users through Approved Access Methods solely to support Subscriber’s internal business operations. Subscriber shall be solely responsible for issuing Access Credentials to its Authorized Users and activating and de-activating access to the tevixMD Services by Authorized Users upon termination of the Authorized User’s affiliation with Subscriber or such user’s breach of this Agreement. Subscriber is responsible for (i) the acts and omissions of its Authorized Users’ use of the TevixMD Services inconsistent with this Agreement and the Documentation, and (ii) ensuring the protection against unauthorized disclosure or use of Access Credentials. There is no implied license under this Agreement, and any rights not expressly granted to Subscriber are reserved by tevixMD for tevixMD’s own use and benefit.
In the event that Subscriber desires to provide access to the tevixMD Services to an individual or corporate contractor (“Contractors”) for the purpose of processing Subscriber’s data, Subscriber shall notify tevixMD in advance of providing such access. Such access shall not be provided unless and until Subscriber and Contractors have entered into an addendum to this Agreement whereby Contractors agree to be bound by the terms of this Agreement, including its’ various indemnification provisions. Additionally, if required by tevixMD, in it’s sole discretion, Contractors’ work locations may be subjected to site inspections prior to authorization by tevixMD to provide access to the tevixMD Services.
5. Prohibited Uses.
Subscriber shall not, and shall not permit an Authorized User to, directly or indirectly, access or use the tevixMD Services or the tevixMD Data, in whole or in part, for any of the following uses, each a "Prohibited Use," and collectively, the "Prohibited Uses":
(a) selling, transferring, distributing or marketing any tevixMD Data to any third party persons or entities through any brokers, sales agents, distributors, or otherwise;
(b) using tevixMD Services or the tevixMD Data in any business or industry other than the Healthcare Industry;
(c) to locate suspects in a criminal or civil lawsuit in order to develop a news story;
(d) to track down victims of fraud, their family members or friends to develop a news story;
(e) to locate lost loves, friends, family members or for personal reasons;
(f) for purposes that may cause physical or emotional harm to the subject of a transaction;
(g) to search for individuals involved in an adoption;
(h) to locate personal information on well-known / high profile celebrities, including government officials, unless for medical and billing purposes only;
(i) in connection with debt consolidation, credit repair services or credit counseling services, to locate previous debtors or to assist in the determination of whether or not to file a personal lawsuit or judgment against the subject of the report;
(j) to access individual reference data on one’s self or out of personal curiosity;
(k) to allow persons or entities other than Subscriber or Subscriber’s Authorized Users to use the SaaS Solution or perform a Transaction;
(l) by professional and commercial users for purposes that are not within their normal course of business.
(m) except as expressly permitted in this Agreement. output, resell, install, distribute, or provide access to tevixMD Data, or any portion or component thereof, to any third party;
(n) FCRA Purposes;
(o) for marketing purposes; or
(p) to incorporate the tevixMD Data into any products or services offered or sold by Subscriber.
In addition, Subscriber is prohibited from selling, transferring, distributing or marketing any tevixMD Data to any third party persons or entities.
6. Restrictions and Reservations of Rights.
6.1. Title to tevixMD Services and each copy thereof, as well as all work products, deliverables, derivative works, and other works of authorship or inventions provided by tevixMD or its representatives or based upon or utilizing any tevixMD's patents, trademarks, copyrights, trade secrets or other Intellectual Property Rights of tevixMD or its licensors (collectively, “tevixMD Items”), shall at all times be, remain and vest solely with tevixMD. Subscriber hereby assigns to tevixMD all right, title, and interest in and to all information, materials, items and intellectual property that qualifies as tevixMD Items.
6.2. If tevixMD provides or incorporates any third-party software, technology, Intellectual Property Rights or other items, such parties shall be entitled to the benefit of the obligations incurred by Subscriber hereunder. Third-party items may be subject to additional license or restriction as specified by such third-party, and tevixMD may, as indicated in the Order, pass through to Subscriber such party’s required license terms and conditions. Unless otherwise set forth in the Order, tevixMD has no obligation regarding third party items.
6.3. The use by Subscriber of any of tevixMD’s Intellectual Property Rights is authorized only for the purposes set forth in this Agreement, and Subscriber shall not reverse assemble, modify, adapt, decompile, sell, license, transfer, publish, disclose, display or otherwise make available any tevixMD Items other than as provided in this Agreement. tevixMD reserves the right to Monitor and review Subscriber’s use of tevixMD Services and to verify and ensure compliance with the provisions of this Agreement.
7. Service Solutions.
7.1. SaaS Services. Subject to the provisions of this Agreement, tevixMD shall provide to Subscriber such tevixMD Service services as are selected in the SAO. The Services will be hosted on servers made available through tevixMD and will be provided in accordance with then-current hosting service policies and practices of tevixMD and such third-party supplier or service provider, if any, that tevixMD may use.
7.2. Support Services. tevixMD will provide the Support Services as set forth on Appendix B attached hereto.
7.3. Service Manager. Each Party shall maintain within its organization a Service Manager to serve as such Party's primary point of contact for day-to-day communications, consultation, and decision-making regarding this Agreement. Each Service Manager shall be responsible for providing all day-to-day consents and approvals on behalf of such Party under this Agreement. If either Party's Service Manager ceases to be employed by such Party or such Party otherwise wishes to replace its Service Manager, such Party shall promptly name a new Service Manager by written notice to the other Party.
7.4. Changes. TevixMD reserves the right, in its sole discretion, to make any changes to the tevixMD Services and Documentation that it deems necessary or useful to maintain or enhance the quality or delivery of tevixMD' s services to its Subscribers or to comply with Applicable Law.
7.5. Suspension or Termination of Services. tevixMD may, directly or indirectly, suspend, terminate, or otherwise deny Subscriber's or Authorized User's access to or use of all or any part of the tevixMD Service, without incurring any resulting obligation or liability, if: (a) tevixMD receives a judicial or other governmental demand or order, subpoena, or law enforcement request that expressly or by reasonable implication requires tevixMD to do so; or (b) tevixMD believes, in its discretion, that: (i) Subscriber or any Authorized User has failed to comply with any term of this Agreement, or accessed or used the tevixMD Service beyond the scope of the rights granted or for a purpose not authorized under this Agreement or in any manner that does not comply with the Documentation; (ii) Subscriber or any Authorized User is, has been, or is likely to be involved in any fraudulent, misleading, or unlawful activities, including being listed on an Alert List provided by tevixMD’s data providers, relating to or in connection with any of the tevixMD Service; or (iii) this Agreement expires or is terminated. This Section 7.5 does not limit any of tevixMD's other rights or remedies, whether at law, in equity, or under this Agreement.
8. Subscriber Resources.
Unless and to the extent expressly specified otherwise in the Order, Subscriber agrees to obtain and/or provide sufficient technical and non-technical resources, at its own expense, to properly, timely and reliably access, use, implement, operate and support the tevixMD Services, including (without limitation) such hardware (e.g. computers, routers, etc.), software (e.g. operating, browser, etc.), and communication services (e.g., phone lines, Internet access, etc.).
9. Term.
9.1. Term. Unless earlier terminated by the terms of this Agreement, this Agreement commences on the Effective Date listed on the respective Order referencing this Agreement and continues for a period of two (2) years thereafter (the “Initial Term”). This Agreement shall be automatically extended for renewal terms of one (1) year each (a “Renewal Term”) upon expiration of the Initial Term, and any subsequent renewal term, unless either Party gives notice to the other at least ninety (90) days prior to the end of the then-current period. The Initial Term and Renewal Term shall be referred to herein collectively as the “Term.” The expiration or termination of any one Order shall not cause the termination of this Agreement as a whole.
9.2. Conditions to Effectiveness of Order. tevixMD’s obligations to provide any tevixMD Service under an Order is conditioned upon tevixMD’s prior approval in its sole discretion of the Subscriber Credentialing and a Site Inspection.
10. Termination.
In addition to any other provisions expressly allowing for termination, this Agreement may be terminated as follows:
10.1. Immediately upon written notice by tevixMD to Subscriber describing Subscriber’s breach of its obligations under Sections 4, 5, 13, 14 or 16 of this Agreement;
10.2. Other than situations provided in Section 10.1, a non-breaching Party may terminate this Agreement sixty (60) days after giving written notice of material breach of this Agreement to the other if such breach is not cured within such period, although only ten (10) days to cure applies when the breach involves the failure to pay amounts due tevixMD;
10.3. Immediately by either Party if a Party files any debtor relief action under the Bankruptcy Code, is unable to, or admits in writing, its inability to pay its debts as they become due, makes an assignment for the benefit of creditors, has a receiver appointed, voluntary or otherwise, for its property, or is adjudicated bankrupt, suspends its business, or becomes insolvent; or
10.4. Immediately if a Party fails to materially comply with Applicable Laws governing such Party’s obligations hereunder.
11. Effects of Termination.
Upon the effective date of any termination or expiration of this Agreement:
11.1. The entire balance of all monies owed by Subscriber to tevixMD shall be immediately due and payable;
11.2. Subscriber shall immediately cease accessing and/or using all tevixMD Services, tevixMD Confidential Information and tevixMD Marks; and
11.3. Subscriber shall return to tevixMD all tevixMD Items that it possesses and shall delete and remove from its systems all digital or other copies of the same
In addition to those provisions expressly surviving termination or expiration, Sections 5, 12, 13, 16, 18, 20, 22, and 23 of this Agreement shall survive termination or expiration of this Agreement and shall continue to bind the Parties and their legal representatives, successors, transferees and assignees.
12. Payments.
12.1. Fees. Subscriber shall pay tevixMD the fees set forth in a signed Order in accordance with this Section 12 (the “Fees”).
12.2. Taxes. All Fees and other amounts payable by Subscriber under this Agreement are exclusive of taxes and similar assessments. Without limiting the foregoing, Subscriber is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Subscriber hereunder.
12.3. Payment. Subscriber shall pay all Fees and Reimbursable Expenses within 30 days of the invoice date. Subscriber shall make all payments hereunder in US dollars by check, wire or ACH to the address or account specified in the Order or such other address or account as tevixMD may specify in writing from time to time. Payment shall be due in full as the times set forth above without any setoff, recoupment, counterclaim, deduction, debit, or withholding for any reason.
12.4. Late Payment. If Subscriber fails to make any payment when due then, in addition to all other remedies that may be available: (i) tevixMD may charge interest on the past due amount at the rate of 1.5% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable Law; (ii) Subscriber shall reimburse tevixMD for all costs incurred by tevixMD in collecting any late payments or interest, including attorneys' fees, court costs, and collection agency fees; and (iii) if such failure continues for fifteen (15) days following written notice thereof, tevixMD may suspend performance of the Services until all past due amounts and interest thereon have been paid, without incurring any obligation or liability to Subscriber or any other person by reason of such suspension.
12.5. Recurring License Fee Coverage. The Recurring License Fee includes the following: Continued Testing and Verification, Systems Monitoring, Network Monitoring, ID/Address check Passthrough Transactions (AccuPAS only), All Third-Party Software Fees, All Third-Party License Fees, tevixMD Security Updates, tevixMD System Patches, tevixMD Service Packs, tevixMD Hot Fixes, tevixMD Version Upgrades.
12.6. Optional Items
12.6.1. Optional Item: tevixMD Integrations. An official price will be included in the signed agreement. Any hours spent beyond those stipulated in the following table will be billed according to the rates in the "Professional Services" section (12.6.2). For all integration types, 50% of the fee is due at agreement execution and the remaining 50% upon delivery. Integrations are not available for Eligibility-Only or SMART ID transaction types.
| Integration Type | Description | Hours | Notes |
|---|---|---|---|
| tevixMD Integrator | Scope, Design, Testing, Deployment, Configuration, and Support of a custom browser extension. | 80 | - |
| Transfer Agent | Custom development using the Windows API to fill in demographic and eligibility data into target Windows application fields. | 80 | - |
| HL7 Integration | Technical discovery calls, technical assistance, security, and compliance approval process. Supports ORM, ADT, and ORU message types out-of-the-box. | 40 | Any other HL7 messages, adjustments to supported messages, or unsupported HL7 versions are not in scope. |
| iFrame Integration | Technical discovery calls, technical assistance, security, and compliance approval process. | 40 | tevixMD development for adjustments to the iFrame/API solution is not included. |
| API Integration | Technical discovery calls, technical assistance, security, and compliance approval process. | 40 | tevixMD development for adjustments to the API is not included. |
12.6.2. Optional Item: Professional Services. If Requested, the Following Professional Services Items will be Billed at the Hourly Rate:
| Professional Services | List Rate |
|---|---|
| tevixMD Integrator Development (beyond included hours defined in section 12.6.1, or adjustments after client reception) | $250 |
| Custom programming / development (including document and report generation) | $250 |
| Support for issues not caused by tevixMD | $150 |
| Implementation Services | $150 |
| Training services (beyond licensed training hours) | $150 |
12.6.3. Optional Item: Travel and Living Expenses. If the Subscriber requests onsite help for any services, travel and living expenses will be at an additional cost and invoiced on the next monthly invoice.
13. Data, Content and Security.
13.1. Portability and Security. Each Party is responsible for complying with the privacy laws applicable to its operations, including (without imitation) the Health Insurance Privacy and Accountability Act Privacy Rule and Security Rule (“HIPAA”) and the Health Information technology for Economic and Clinical Health Act (“HITECH”). The parties shall execute a HIPAA compliant Business Associate Agreement (“BAA”) in the form of Appendix D attached to the Order.
13.2. Access. Subscriber shall employ all physical, administrative, and technical controls, screening, and security procedures and other safeguards necessary to: (a) securely administer the distribution and use of all Access Credentials and protect against any unauthorized access to or use of the Services; and (b) control the content and use of Subscriber Data, including the uploading or other provision of Subscriber Data. As part of the regular use of the tevixMD Services, Subscriber (or its representatives, Authorized Users and/or patients) will input Protected Health Information (as defined in the BAA) into the SaaS Solution. Notwithstanding anything to the contrary in this Agreement, tevixMD and its representatives are hereby granted the right to use, store and display Subscriber Data as follows: (i) in connection with performance of tevixMD’s duties as described herein; (ii) to create backup copies of data for recovery in case of catastrophic system failure or routine file repair; (iii) to troubleshoot the relevant system, isolate problems and resolve them within the system itself; (iv) to generate aggregate statistical and analytical reports; and (v) to de-identify such data in accordance with accepted standards of de-identification described in the HIPAA Privacy Rule and use such de-identified data for purposes of health informatics and as needed for its business.
13.3. Subscriber Data. Subscriber shall be responsible for the accuracy and propriety nature of all Subscriber Data. tevixMD has no obligation to review or approve the Subscriber Data prior to processing such data as part of a Transaction. Subscriber shall defend, indemnify and hold tevixMD, its owners, employees, directors and contractors harmless against all losses, damages, penalties, expenses (including attorneys fees and investigation costs) arising out of Subscriber Data to tevixMD which data, when processed appropriately by tevixMD, leads to allegations, claims or repayment demands from any patient or third party payor of health care services.
13.4. Offshoring. Without the express prior written consent of tevixMD, Subscriber must maintain the tevixMD Data in the United States and may not house or maintain the tevixMD Data on servers, equipment, electronic systems or any other types of devices or systems contained outside of the United States.
14. Monitoring.
Subscriber acknowledges that tevixMD shall, at its own cost and expense, conduct commercially appropriate Monitoring to confirm Subscriber’s continued compliance with this Agreement and Applicable Laws. tevixMD shall immediately suspend and cease providing the Services to any Subscriber that no longer meets the credentialing requirements until such non-compliance has been investigated and remediated to tevixMD’s satisfaction. tevixMD may nonetheless immediately terminate Subscriber’s access to tevixMD Data if a violation of Applicable Law or this Agreement is confirmed.
15. Non-solicitation.
During the Agreement and for two (2) years after its termination, Subscriber shall not, directly or indirectly, solicit or offer to hire, hire, or retain as an employee or contractor any person employed or retained during such period or within the preceding twelve (12) months by tevixMD without tevixMD’s prior written consent in each instance. In the event of a breach of such commitment, Subscriber shall immediately pay tevixMD, as liquidated damages, an amount equal to the compensation (including salary, commission and bonus, whether due in cash, equity or otherwise) earned by such person(s) in the preceding twelve-month period.
16. Confidentiality.
Each Party expressly undertakes to retain in confidence all information and know-how transmitted to the other that the disclosing party has identified as being proprietary and/or confidential (“Confidential Information”), and expressly undertakes to make no use of Confidential Information except as required to perform its obligations under this Agreement during its term. All Confidential Information shall be treated by the receiving party with the same degree of care as is used with respect to the receiving party’s own information of like importance that is to be kept confidential to prevent disclosure to any third party (but in no event less than reasonable care). However, neither Party shall have an obligation to maintain the confidentiality of information that:
(a) is already in the public domain or subsequently becomes available to the public through no fault of the receiving party;
(b) was lawfully in the receiving party’s possession prior to receipt from the disclosing party;
(c) is independently developed by the receiving party;
(d) is received independently from a third party free to lawfully disclose such information; or
(e) is generally made available to third parties by the disclosing party without restrictions on disclosure.
Unless otherwise mutually agreed in writing, the receiving party’s obligations hereunder with respect to each item of Confidential Information shall survive for three (3) years after the termination or expiration of this Agreement; provided, however, the obligations herein for Confidential Information that is a trade secret or subject to a longer period of confidential treatment per applicable law (e.g. patient information) shall continue past such three (3) years for as long as such information remains qualified for such treatment. The provisions of this Section are in addition to, and not in lieu of, other agreements between tevixMD and Subscriber concerning the protection of proprietary or confidential information.
17. Representations and Warranties.
17.1. Subscriber represents and warrants to tevixMD that: (a) it has full right, power and authority to enter into this Agreement and to perform all of its obligations hereunder; (b) the execution and delivery of this Agreement and the performance by Subscriber of its obligations hereunder do not and will not constitute any material breach of any agreement to which Subscriber is a party; and (c) Subscriber shall comply with all Applicable Laws in the performance of its obligations hereunder.
17.2. While tevixMD obtains information from a variety of third-party Sources that tevixMD believes to be reliable in general, tevixMD does not warrant that any particular item of tevixMD Data is accurate. Subscriber acknowledges that information from such third-party Sources is sometimes entered poorly, processed incorrectly, and is generally not free from defect. ACCORDINGLY, THE TEVIXMD DATA SHOULD NOT BE RELIED UPON AS ACCURATE. TEVIXMD, FOR ITSELF AND ITS SUPPLIERS, LICENSORS AND AFFILIATES (I) PROVIDES THE TEVIXMD DATA AND THE TEVIXMD SERVICES ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED; (II) MAKES NO WARRANTIES THAT THE USE OF THE TEVIX DATA AND THE TEVIXMD SERVICES WILL BE UNINTERRUPTED, TIMELY, FREE FROM VIRUSES OR OTHER DISABLING / HARMFUL CODE, SECURE OR BUG / ERROR-FREE; AND (III) EXPRESSLY DISCLAIM THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, DATA ACCURACY AND NON-INFRINGEMENT.
TEVIXMD SHALL NOT BE LIABLE TO SUBSCRIBER OR TO AUTHORIZED USERS FOR ANY LOSS OR INJURY ARISING OUT OF OR CAUSED IN WHOLE OR IN PART BY TEVIXMD'S ACTS OR OMISSIONS, WHETHER NEGLIGENT OR OTHERWISE, IN PROCURING, COMPILING, COLLECTING, INTERPRETING, REPORTING, COMMUNICATING OR DELIVERING TEVIXMD SERVICES AND/OR TEVIXMD DATA.
18. LIMITATIONS OF LIABILITY.
18.1. EXCEPT AS EXPRESSLY PROVIDED OTHERWISE IN THIS AGREEMENT, IN NO EVENT SHALL TEVIXMD'S AGGREGATE LIABILITY, IF ANY, TO THE OTHER UNDER THIS AGREEMENT EXCEED THE LESSER OF $1200 OR THE AMOUNT OF ACTUAL DAMAGES INCURRED. MOREOVER, EXCEPT AS EXPRESSLY PROVIDED OTHERWISE IN THIS AGREEMENT, NEITHER PARTY SHALL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR ANY OTHER INDIRECT DAMAGES, WHETHER OR NOT FORESEEABLE AND HOWEVER ARISING, INCLUDING BUT NOT LIMITED TO LOST INCOME OR LOST REVENUE, WHETHER BASED IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, INDEMNIFICATION, OR ANY OTHER THEORY EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
18.2. IN NO EVENT SHALL THE LIMITATIONS OF LIABILITY SET FORTH IN SECTION 11.1 OF THIS AGREEMENT APPLY TO: (A) SUBSCRIBER'S LIABLITY FOR ANY AND ALL DAMAGES INCURRED BY TEVIXMD AS A RESULT OF GOVERNMENTAL, REGULATORY OR JUDICIAL ACTIONS (INCLUDING, BUT NOT LIMITED TO, FINES, PENALTIES, INTEREST AND OTHER PECUNIARY ASSESSMENTS) PERTAINING TO VIOLATIONS OF THE FCRA, GLBA, DPPA, OTHER APPLICABLE LAWS, OR JUDICIAL ACTIONS, OR ANY COMBINATION OF THE FOREGOING, TO THE EXTENT SUCH DAMAGES RESULT FROM SUBSCRIBER'S BREACH OF ITS OBLIGATIONS UNDER THIS AGREEMENT; (B) SUBSCRIBER'S LIABLITY FOR ANY AND ALL DAMAGES INCURRED BY TEVIXMD AS A RESULT OF SUBSCRIBER'S BREACH, MISUSE OR MISAPPROPRIATION OF TEVIXMD' INTELLECTUAL PROPERTY RIGHTS; (C) EITHER PARTY'S OBLIGATION TO INDEMNIFY THE OTHER PARTY PURSUANT TO SECTION 20 OF THIS AGREEMENT; OR (D) DAMAGES INCURRED BY TEVIXMD AS A RESULT OF THE SUBSCRIBER'S BREACH OF ITS OBLIGATIONS RESPECTING CONFIDENTIALITY AND SAFEGUARDS WHICH RESULTS IN UNAUTHORIZED ACCESS TO, USE OF, CONTROL OVER, OR DISCLOSURE OF TEVIXMD' CONFIDENTIAL INFORMATION.
19. Insurance.
19.1. Subscriber Insurance. During the Term of this Agreement, Subscriber shall maintain, at its own cost and expense, the following minimum insurance coverage in full force and effect with insurers rated A VII or better by A.M. Best to cover Subscriber's activities, those of any and all subcontractors, or anyone directly employed by any of them: (i) commercial general liability insurance (primary and umbrella/excess) coverage with limits of at least $3,000,000 per occurrence, (ii) professional liability insurance (primary and excess) covering errors and omissions with limits of at least $3,000,000 per claim, and (iii) statutorily required workers' compensation insurance and employer's liability insurance in regions where Subscriber maintains employees in amounts mandated by law. The above coverage shall include network security and privacy liability coverage or similar coverage. Coverage provided shall be primary and noncontributory or excess over other valid insurance, which may be available. All certificates shall state that coverages afforded will not be cancelled, non-renewed or materially reduced without thirty (30) day advance written notice to tevixMD. The required coverages referred to and set forth in this Section 15.1 shall in no way affect, nor are they intended as a limitation of, Subscriber's liability with respect to the performance of its obligations under this Agreement.
19.2. tevixMD shall, at its own expense, procure and maintain in full force and effect during the Term the following minimum insurance coverage in full force and effect with insurers rated A VII or better by A.M. Best to cover (i) commercial general liability insurance (primary and umbrella/excess) coverage with limits of at least $4,000,000 per occurrence, (ii) professional liability insurance (primary and excess) covering errors and omissions with limits of at least $4,000,000 per claim, and (iii) statutorily required workers' compensation insurance and employer's liability insurance, and (iv) data privacy and network security liability coverage in the amount of $4,000,000 per occurrence, and $4,000,000 aggregate.
20. Indemnification.
20.1. tevixMD Indemnification. tevixMD shall defend, indemnify, and hold harmless Subscriber, its Affiliates, and its and their employees, officers, directors, and agents (each, a “Subscriber Indemnitee”) from and against any and all losses, damages, liabilities, penalties and costs (including reasonable attorney’s fees) (“Losses”) resulting from any third-party claim, demand, suit, or proceeding that the SaaS Solution as used in accordance with this Agreement infringes or misappropriates such third party’s Intellectual Property Rights. The foregoing obligation does not apply to the extent that the alleged infringement arises from : (i) third-party materials or Subscriber Data; (ii) modification of the SaaS Solution other than by tevixMD or with tevixMD's written approval in accordance with tevixMD's written specification; or (iii) Subscriber’s failure to timely implement any modifications, upgrades, replacements, or enhancements made available to Subscriber by tevixMD.
20.2. Mitigation. In the event of a third-party infringement claim, tevixMD may, in its own discretion and at its sole cost and expense, either: (i) modify or replace the SaaS Solution or any part thereof so that it becomes non-infringing; (ii) obtain a license for Subscriber’s continued use of the SaaS Solution in accordance with this Agreement; or (c) cease to provide the SaaS Solution and other related products or services by immediately terminating this Agreement and refund any unused prepaid fees to Subscriber.
20.3. Indemnification Procedure. Subscriber shall promptly notify tevixMD in writing of any action for which Subscriber believes it is entitled to be indemnified pursuant to this Section 20 (an “Action”). tevixMD shall promptly assume control of the defense and shall employ counsel of its choice to handle and defend the same. Subscriber may participate in and observe the proceedings at its own cost and expense with counsel of its own choosing. tevixMD shall not settle any Action on any terms or in any manner that adversely affects the rights of Subscriber without Subscriber’s prior written consent, which shall not be unreasonably withheld or delayed. If the tevixMD fails or refuses to assume control of the defense of such Action, Subscriber shall have the right, but no obligation, to defend against such Action, including settling such Action after giving notice to tevixMD, in such manner and on such terms as Subscriber may deem appropriate.
20.4. Sole Remedy. This Section 20 sets forth subscriber's sole remedies and tevixMD's sole liability and obligation for any actual, threatened, or alleged claims that the services and tevixMD materials or any subject matter of this agreement infringes, misappropriates, or otherwise violates any intellectual property rights of any third party.
20.5. Subscriber Indemnity. Subscriber shall indemnify, defend and hold harmless tevixMD and its officers, directors and employees, from and against any third-party's claims, suits, damages, liabilities, fines, penalties, and losses, including reasonable attorneys' fees, interest and costs, arising out of or in connection with (a) Subscriber's use of tevixMD Services or tevixMD Data, (b) Subscriber's violation of Applicable Law or (c) Subscriber's breach of this Agreement. tevixMD may, at its election and expense, be represented by counsel of its choice and be present at all associated proceedings. Subscriber may not settle or consent to the entry of any judgment without the prior written consent of tevixMD, which shall not be unreasonably withheld, conditioned or delayed. Subscriber recognizes that tevixMD will suffer irreparable harm, and that monetary damages may be incalculable and/or inadequate in the event that Subscriber retains tevixMD Data in breach of this Agreement, and therefore, such breach shall be entitled to remedy by injunctive relief, in addition to any and all other relief which may be available at law or at equity
21. Fair Credit Reporting Act.
21.1. tevixMD has advised Subscriber, and Subscriber, in turn, acknowledges and understands that:
(a) tevixMD is not a "consumer reporting·agency," as defined by the FCRA, and does not have any similar status under any other Applicable Law related to consumer reports;
(b) The tevixMD Data is not a "consumer report" under the FCRA and do not have any similar status under any other Applicable Law related to consumer reports; and
(c) Neither the tevixMD Services, nor the tevixMD Data, is subject to the FCRA's (or any other Applicable Law related ta consumer reports) requirements relating to disputes, access, accuracy or otherwise.
21.2. Subscriber will not, directly or indirectly, cause the tevixMD Services or tevixMD Data to constitute a "consumer report" under the FCRA or other Applicable Law related to consumer reports, or by any authority having jurisdiction over the Parties.
22. Miscellaneous.
22.1. Further Assurances. On a party's reasonable request, the other party shall, at the requesting party's sole cost and expense, execute and deliver all such documents and instruments, and take all such further actions, as may be necessary to give full effect to this Agreement.
22.2. Entire Agreement. This Agreement, together with any Appendices, Orders, or other documents incorporated herein by reference, constitutes the sole and entire agreement of the parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter
22.3. Amendment. This Agreement shall not be amended other than in a writing executed by the duly authorized representative of each Party.
22.4. Governing Law. This Agreement, and the legal relations between the parties hereto, shall be governed by and interpreted in accordance with the laws of the State of Georgia without reference to conflict of laws principles. Subscriber agrees that any breach of the provision involving the subject matter of Sections 13, 15, 16, and 17 of this Agreement by it may cause irreparable damage to tevixMD and that, in the event of such a breach, in addition to any and all remedies at law, tevixMD shall have the right to an injunction, specific performance, or other equitable relief without the requirement of posting a bond or undertaking or proving injury as a condition for relief.
22.5. Venue. Any disputes under this Agreement shall be heard in any state or federal court located in Fulton County, Georgia. Each Party submits to the personal and subject matter jurisdiction and venue of such courts, waives the defense of an inconvenient forum, and irrevocably waives all right to trial by jury as to any issue relating hereto in any action, proceeding, or counterclaim arising out of or relating to this agreement or any other matter involving the parties hereto.
22.6. Attorney’s Fees. Should either Party hereto, or any heir, personal representative, successor or assign of either Party hereto, resort to legal proceedings in connection with this Agreement, the Party prevailing in such legal proceedings shall be entitled, in addition to such other relief as may be granted, to recover its or their reasonable attorneys' fees and costs in such legal proceedings from the non-prevailing Party.
22.7. Notices. Any notice, demand, or request required or permitted to be given hereunder shall be made in writing and shall be deemed effective when: (i) delivered in person; or (ii) five (5) business days after having been deposited with (a) the United States mail, postage prepaid, registered or certified, or (b) UPS, Federal Express or similar carrier with all charges for such delivery prepaid; and addressed to the receiving Party at the address stated herein. A copy of each notice shall also be sent via email.
22.8. No Waiver. The failure of either Party at any time to require performance by the other Party of any provision of this Agreement shall not affect in any way the full rights of such Party to require performance later, nor shall the waiver by either Party of a breach of any provision of this Agreement be taken or held to be a waiver of the provision itself.
22.9. Severability. If any portion or portions of this Agreement are held to be unenforceable, invalid or contrary to public policy under any applicable statute or rule of law, it is, to that extent, omitted, but the remainder of this Agreement shall continue to be binding upon the Parties hereto.
22.10. Assignment. The Parties agree that their respective rights and obligations under this Agreement may not be assigned or otherwise transferred without the prior written consent of the non-transferring Party; provided, however, that either Party may assign this Agreement and associated Orders without prior consent of the other Party with respect to assignments to persons or entities acquiring all or substantially all of the other Party’s assets or equity, whether by merger or otherwise.
22.11. Independent Contractors. Each Party shall perform its obligations hereunder as an independent contractor and shall be solely responsible for its own financial obligations (including any costs or expenses incurred by such Party in performing its obligations under this Agreement). Nothing contained herein shall be construed to imply a joint venture or principal and agent relationship between the Parties. Subscriber acknowledges that tevixMD provides similar deliverables and services to others and agrees that all deliverables, services, intellectual property, licenses, and rights provided by tevixMD are non-exclusive.
22.12. Public Announcements. Neither Party shall issue or release any announcement, statement, press release, or other publicity or marketing materials relating to this Agreement or, unless expressly permitted under this Agreement, otherwise use the other Party's Marks, in each case, without the prior written consent of the other Party, which consent shall not be unreasonably withheld, provided, however, that tevixMD may, without Subscriber's consent, include Subscriber's name and other indicia in its lists of tevixMD 's current or former Subscribers in promotional and marketing materials. All goodwill associated with the use of Marks by a Party shall inure to the benefit of the owner of such Marks.
22.13. Books and Records Access. To the extent this Agreement is subject to Section 1861(v)(1)(I) of the Social Security Act, tevixMD agrees to make available upon written request of the Secretary of Health and Human Services or the United States Comptroller General or any of their duly authorized representatives, this Agreement and any other books, documents, or records of tevixMD that are necessary to certify the nature and extent of costs incurred by tevixMD under this Agreement until the expiration of four (4) years after the expiration or termination of this Agreement for any reason. tevixMD agrees that if tevixMD carries out any of the services under this Agreement through a contract or subcontract with a value of $10,000 or more over a twelve (12) month period, such contract or subcontract shall require this same access to the books, documents, and records of such contractor or subcontractor.
22.14. Sanctioned Persons. Subscriber represents and warrants that it and any of its employees, officers, directors, contractors, representatives and agents providing any services under this Agreement: (i) are not “sanctioned persons” under any federal or state program or law; (ii) have not been listed in the current Cumulative Sanction List of the Office of Inspector General for the United States Department of Health and Human Services for currently sanctioned or excluded individuals or entities; (iii) have not been listed on the General Services Administration’s List of Parties Excluded from Federal Programs; (iv) have not been listed on the United States Department of Treasury, Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons List; (v) have not been convicted of a criminal offense related to health care; and (vi) are not a debarred or suspended contractor under any law or rules of any state of the United States. Subscriber shall immediately notify tevixMD of any debarment or exclusion of any of its directors, officers, employees, agents or subcontractors. Any breach of this Section shall give tevixMD the right to terminate the Agreement immediately for cause.
22.15. Force Majeure. Except with regard to any previously accrued but unpaid amount due tevixMD neither Party shall be liable to the other for failure to perform any of its obligations hereunder during a period of fire, flood, or other natural disaster, war, terrorism, embargo, riot, epidemic, pandemic, Act of God, or intervention of a government authority or, in the case of tevixMD, delay or disruption with the telecommunications, Internet, wireless or network equipment provider or any third-party vendor of Subscriber or the Authorized Users (“Force Majeure Event”) which prevents such performance. The Party delayed by the Force Majeure Event shall promptly notify the other Party of the delay. During the pendency of any Force Majeure Event, the Party affected will work diligently to cure the Force Majeure Event to the extent commercially reasonable. However, if the Force Majeure Event continues for thirty (30) consecutive days, the Party not directly affected by it may terminate this Agreement immediately without penalty.
Appendix A
Standard Definitions of tevixAccuPAS Transactions:
1. Definitions. The following terms have the meanings provided below. Capitalized terms used in this Appendix not otherwise defined herein shall have the meaning provided in the Agreement.
“Address/Identity look-up” means a Transaction regarding the confirmation of the name and address of an individual.
“Benefits Eligibility” means a Transaction regarding the confirmation of an individual’s enrollment, participation and active status in a health insurance plan and the scope and amount of coverage to which such individual is then eligible.
“Entity” means the Subscriber and each Affiliate of Subscriber to whom the Parties agree in writing may perform Transactions under this Agreement. Affiliates will be eligible to perform Transactions only after tevixMD has approved the Credentialing of such Affiliate and the Affiliate’s signing a Master Patient Data Solutions Agreement substantially in the form of the Agreement.
tevixAccuPAS User Interface Transactions - A tevixAccuPAS Transaction is defined as:
1. One stand-alone patient Address/Identity look-up
2. One stand-alone Benefits Eligibility request (and includes one Service Type search each time Benefits Eligibility is requested) to search an individual payer
3. A combined search of patient Address/Identity and Benefits Eligibility - this combined search is called a “Visit” and is considered one tevixAccuPAS Transaction
4. Any additional patient Identity/Address or Benefits Eligibility or Service Type requests performed
5. Any search of multiple payors during an enabled Insurance Discovery Tool search. Each individual payor wherein a result is rendered is considered one tevixAccuPAS Transaction. (For example, the Tool searches up to ten (10) payors. If the Tool renders a result on the 4th payor, the Tool will end the search and only four (4) transactions are applied)
6. Any search for a Medicare Beneficiary Identifier (MBI Search)
Bulk Transactions - A tevixAccuPAS Transaction is defined as:
1. Each record in a Demographics bulk file.
2. Each record in an Eligibility bulk file.
3. Each record in a Real-time Batch - This is a combined search of Address/Identity and Benefits Eligibility - also known as a Visit and is considered one tevixAccuPAS Transaction
4. Any additional patient Identity/Address or Benefits Eligibility or Service Type requests performed
5. Any bulk file search of multiple payors during an enabled Insurance Discovery Tool search has the same meaning as in 5 above.
6. Any batch file search for a Medicare Beneficiary Identifier (MBI Search) search has the same meaning as in 6 above.
API Transactions - A tevixAccuPAS API Transaction is defined as:
1. One stand-alone patient Address/Identity look-up
2. One stand-alone Benefits Eligibility request to search an individual payer
3. A combined search of patient Address/Identity and Benefits Eligibility - this combined search is known as a Visit and is considered one tevixAccuPAS Transaction
4. Any additional patient Identity/Address or Benefits Eligibility or Service Type requests performed
Appendix B
Support Hours and Contact
Support Hours and Contact Information:
8:00 AM to 5:00 PM EDT M-F
561-257-0832 ext. 2
www.tevixMD.com/support
After Hours Support Requests:
Support requests outside of normal business hours mentioned above, will be addressed on the next business day.
Appendix C
Special Terms of Subscriber’s Use
For purposes of these Special Terms of Subscriber Use, “Data” means the information obtained from its sources (the “Sources”) and provided to Subscriber as part of the tevixMD Services. Otherwise, capitalized terms used in these Special Terms of Use (“Specific Terms”) but not defined herein shall have meanings given to such terms in the Agreement.
Subscriber acknowledges that tevixMD must insure that its Subscribers, including the Subscriber here, are credentialed prior to receipt of Data. The manner of credentialing is as set forth on Appendix C to the SAO (the “Credentialing”). tevixMD may terminate this Agreement immediately upon Subscriber’s failure to adhere to the these Special Terms or to the Credentialing. tevixMD may amend, supplement and/or modify the following terms from time to time upon thirty (30) days' prior written notice to Subscriber.
1. Subscriber accepts that the Data is provided “AS IS” with no warranties of any kind, whether express, implied in fact or by operation of law, or statutory, including without limitation, those as to quality, non-infringement, accuracy, completeness, timeliness, or correctness, and those warranties that might be implied from a course of performance or dealing or trade usage and warranties of merchantability and fitness for a particular purpose.
2. Subscriber understands and agrees that the Data contains sensitive information that is governed by various state and federal laws, including the Gramm-Leach-Bliley Act (15 U.S .C. § 6801-6809) ("GLBA") and The Driver's Privacy Protection Act (18 U.S.C. § 2721 - 2725) (“DPPA"), all of which the Subscriber certifies to comply. Subscriber agrees that it will certify its permissible use of the Data.
2.1 GLBA Data. If Subscriber receives Data subject to GLBA, Subscriber hereby certifies that the specific purpose(s) for which such Data will be requested, obtained and used by Subscriber is one or more of the following uses as described in, and as may be interpreted from time to time, by competent legislative, regulatory or judicial authority, and as being encompassed by Section (6802)(e) of the GLBA and the United States Federal Trade Commission rules promulgated thereunder:
• As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer;
• To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
• For required institutional risk control, or for resolving consumer disputes or inquiries;
• For use solely in conjunction with a legal or beneficial interest held by Subscriber and relating to the consumer;
• For use solely in Subscriber's fiduciary or representative capacity on behalf of, and with the implied or express consent of, the consumer;
• To the extent specifically permitted or required under laws other than the GLBA, and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, to self-regulatory organizations, or for an Investigation on a matter related to public safety; or
• To comply with federal, state, or local laws, rules, and other applicable legal requirements.
2.2 DDPA Data. If Subscriber receives Data subject to DPPA, Subscriber hereby certifies that it will request, obtain, and use such Data only for one of the following permitted uses under the DPPA:
• Use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a federal, state, or local agency in carrying out that agency's functions.
• Use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal Information submitted by the individual to the business or its agents, employees, or contractors; and, if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against the individual.
• Use in connection with any civil, criminal, administrative, or arbitration proceeding, in any federal, state. or local court or agency, or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state, or local court.
• Use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating, or underwriting.
• Use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49, U.S. Code.
• Use by any licensed private investigative agency or licensed security service for any purpose described above.
3. Subscriber agrees not to use the Data, in whole or in part, for consumer credit purposes, consumer insurance underwriting, employment purposes, tenant screening purposes, or for any other purpose(s) covered by the Federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) ("FCRA”) or similar state statute. Subscriber agrees not to take any adverse action (as such term is used in the FCRA) based, in whole or in part, upon the information.
4. Subscriber acknowledges that tevixMD retains all right, title, and interest under applicable contractual, copyright and related laws in the Data. Subscriber shall use the Data consistent with such right, title and interest, subject to the license and use restrictions contained in these terms and conditions, and shall notify Reseller of any threatened or actual infringement thereof.
5. tevixMD grants Subscriber a restricted personal, nonexclusive, non-transferable, non-sublicenseable, revocable license to obtain and use the Data solely for Permitted Uses as permitted by these terms and conditions and all applicable laws, rules, regulations and regulatory directives. The license granted hereby is conditioned upon the Data not being accessed, used and/or distributed for any FCRA Purposes or for any Prohibited Uses. Subscriber shall obtain and use the Data for Subscriber's own internal business purposes consistent with these terms and conditions. The Data obtained by Subscriber shall be used for Subscriber's exclusive, one (1) time use in connection with the permissible use for which it was requested.
6. Subscriber agrees to take appropriate measures so as to protect against the misuse and/or unauthorized access of the Data, including adherence to the Expected Access Security Requirements outlined on Appendix C-1 to this Agreement. Such misuse or unauthorized access shall include any unauthorized disclosure, release, viewing or other unauthorized access to the Data.
7. The Data may only be accessed from within the United States. Subscriber will (i) limit access to Data to only those employees who have a need to access in connection with the duties and obligations under this Agreement; (ii) advise its employees having access to Data of the proprietary and confidential nature thereof and of the obligations set forth in these terms and conditions; (iii) track and monitor its access to Data; (iv) prevent any use not in conformance with these terms and conditions, and (v) maintain records sufficient to demonstrate compliance with its obligations under these terms and conditions.
8. Subscriber agrees to maintain appropriate administrative, technical and physical safeguards for the Data. These safeguards shall (i) ensure the confidentiality of the Data; (ii) protect the Data against any anticipated threats or hazards to its security or integrity; and (iii) protect the Data against unauthorized access or use. If Subscriber learns or has reason to believe that the Data has been disclosed or accessed by an unauthorized party, Subscriber shall immediately give notice of such event to tevixMD and shall comply with all applicable laws relating to the privacy and security of the Data.
9. NEITHER TEVIXMD NOR ANY THIRD PARTY FROM WHOM TEVIXMD OBTAINS THE DATA SHALL BE LIABLE TO SUBSCRIBER OR TO ANY PERSON CLAIMING THROUGH SUBSCRIBER OR TO WHOM SUBSCRIBER MAY HAVE PROVIDED DATA FOR ANY LOSS OR INJURY ARISING OUT OF OR RELATED TO RESELLER'S OR THIRD PARTY'S ACTS OR OMISSIONS IN PROCURING, COMPILING, COLLECTING, INTERPRETING, REPORTING, COMMUNICATING, OR DELIVERING THE DATA. IN NO EVENT SHALL TEVIXMD NOR ANY THIRD PARTY FROM WHOM TEVIXMD OBTAINS THE DATA BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, OR PUNITIVE DAMAGES INCURRED BY THE OTHER PARTY AND ARISING OUT OF THE PERFORMANCE OF THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOSS OF GOOD WILL AND LOST PROFITS OR REVENUE, WHETHER OR NOT SUCH LOSS OR DAMAGE IS BASED IN CONTRACT, WARRANTY, TORT, NEGLIGENCE, STRICT LIABILITY, INDEMNITY, OR OTHERWISE, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. IF, NOTWITHSTANDING THE FOREGOING, LIABLITY CAN BE IMPOSED ON TEVIXMD AND/OR ANY THIRD PARTY FROM WHOM TEVIXMD OBTAINS THE DATA, TEVIXMD AND ANY SUCH THIRD PARTY'S ENTIRE AGGREGATE LIABLITY SHALL BE LIMITED TO DIRECT DAMAGES NOT EXCEEDING THE AMOUNT OF FEES PAID BY SUBSCRIBER DURING THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEEDING THE EVENT WHICH GAVE RISE TO THE LIABILITY.
The provisions of this Section 9 shall survive the termination of the Agreement.
Appendix C-1
Expected Access Security Requirements
Subscriber herby acknowledges that tevixMD requires data access and security compliance in accordance with HIPAA and GLB, and that those requirements entail strong access control measures, vulnerability management programs, data protection, information security policies and secure networks; and that they are maintained, regularly monitored and tested as to fulfill the compliance requirements of HIPAA and GLB. Subscriber agrees to indemnify tevixMD for any losses suffered if Subscriber does not fulfill the compliance requirements of HIPAA and GLB. A list has been provided below for the industry standard as a reference.
Industry Standard:
1. Implement Strong Access Control Measures
a. Do not provide your credit reporting agency Subscriber Codes or passwords to anyone. No one from the credit-reporting agency will ever contact you and request your Subscriber Code number or password.
b. Proprietary or third-party system access software must have credit reporting agency Subscriber Codes and password(s) hidden or embedded.
Account numbers and passwords should be known only by supervisory personnel.
c. You must request your Subscriber Code password be changed immediately when: any system access software is replaced by system access software or is no longer used; the hardware on which the software resides is upgraded, changed or disposed of
d. Protect credit reporting agency Subscriber Code(s) and password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of your Subscriber Code(s) and password(s).
e. Create a separate, unique user tevixMD for each user to enable individual authentication and accountability for access to the credit reporting agency’s infrastructure. Each user of the system access software must also have a unique logon password.
f. Ensure that user IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users’ profiles.
g. Keep user passwords Confidential.
h. Develop strong passwords that are: Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters) & Contain a minimum of seven (7) alpha/numeric characters for standard user accounts
i. Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations.
j. Active logins to credit information systems must be configured with a 30-minute inactive session, timeout.
k. Restrict the number of key personnel who have access to credit information.
l. Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application.
m. Ensure that you and your employees do not access your own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
n. Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
o. After normal business hours, turn off and lock all devices or systems used to obtain credit information.
p. Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain credit information.
2. Maintain a Vulnerability Management Program
a. Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.
b. Configure infrastructure such as Firewalls, Routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
c. Implement and follow current best security practices for Computer Virus detection scanning services and procedures:
Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks.
If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files.
Implement and follow current best security practices for computer anti-Spyware scanning services and procedures:
Use, implement and maintain a current, commercially available computer anti-spyware scanning product on all computers, systems and networks.
If you suspect actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated.
Run a secondary anti-Spyware scan upon completion of the first scan to ensure all Spyware has been removed from your computers.
Keep anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-Spyware definition files weekly, at a minimum. If your company’s computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sites), then it is recommended that anti-Spyware scans be completed more frequently than weekly.
3. Protect Data
a. Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.)
b. All credit reporting agency data is classified as Confidential and must be secured to this requirement at a minimum.
c. Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
d. Encrypt all credit reporting agency data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum.
e. Only open email attachments and links from trusted sources and after verifying legitimacy.
4. Maintain an Information Security Policy
a. Develop and follow a security plan to protect the Confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule.
b. Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators.
c. The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
d. Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within your organization.
5. Build and Maintain a Secure Network
a. Protect Internet connections with dedicated, industry-recognized Firewalls that are configured and managed using industry best security practices.
b. Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
c. Administrative access to Firewalls and servers must be performed through a secure internal wired connection only.
d. Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services and network traffic.
e. Encrypt Wireless access points with a minimum of WEP 128-bit encryption, WPA encryption where available.
f. Disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point.
6. Regularly Monitor and Test Networks
a. Perform regular tests on information systems (port scanning, virus scanning, vulnerability scanning).
b. Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide Services hereunder to access credit reporting agency systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:
protecting against intrusions
securing the computer systems and network devices, and
protecting against intrusions of operating systems or software.
Record Retention: The Federal Equal Opportunities Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, the credit reporting agency requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.
“Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $2,500 per violation.”
Appendix D
Subscriber Referral Program
Should Subscriber provide referrals to tevixMD, the Subscriber will receive a “one time” credit on its’ monthly tevixMD invoice equal to one (1) month’s value of the monthly minimum transaction commitment agreed to by the referred company, if they execute an agreement with tevixMD within one year of the introduction. This credit shall be issued on the month following the month where the referred company has been operating on the tevixMD platform for at least 90 days. A referral shall include the following basic information and/or perform the minimum tasks:
a. Company name and address
b. Contact name, title, contact information
c. Information about the referred Company, to include, to the extent possible – industry subsegment. (lab, hospital, RCM, etc.)
d. Providing the proper warm introduction to the individuals who are responsible for evaluating a new solution (decision makers).
Appendix E
Special Terms of Subscriber’s Use and GLBA and DPPA Certifications
For purposes of these Special Terms of Subscriber Use, “Data” means the information obtained from its sources (the “Sources”) and provided to Subscriber as part of the tevixMD Services. Otherwise, capitalized terms used in these Special Terms of Use (“Specific Terms”) but not defined herein shall have meanings given to such terms in the Agreement.
Subscriber acknowledges that tevixMD must insure that its Subscribers, including the Subscriber here, are credentialed prior to receipt of Data. The manner of credentialing is as set forth on Appendix A to the Service Addenda and Order Form (the “Credentialing”). tevixMD may terminate this Agreement immediately upon Subscriber’s failure to adhere to these Special Terms or to the Credentialing. tevixMD may amend, supplement and/or modify the following terms from time to time upon thirty (30) days' prior written notice to Subscriber.
No Warranties. Subscriber accepts that the Data is provided “AS IS” with no warranties of any kind, whether express, implied in fact or by operation of law, or statutory, including without limitation, those as to quality, non-infringement, accuracy, completeness, timeliness, or correctness, and those warranties that might be implied from a course of performance or dealing or trade usage and warranties of merchantability and fitness for a particular purpose.
Special Certifications. Subscriber understands and agrees that the Data contains sensitive information that is governed by various state and federal laws, including the Gramm-Leach-Bliley Act (15 U.S.C. § 6801-6809) ("GLBA") and The Driver's Privacy Protection Act (18 U.S.C. § 2721 - 2725) (“DPPA"), all of which the Subscriber certifies to comply. Subscriber agrees that it will certify its permissible use of the Data.
GLBA Certification. If Subscriber receives Data subject to GLBA, Subscriber hereby certifies that the specific purpose(s) for which such Data will be requested, obtained and used by Subscriber is one or more of the following uses as described in, and as may be interpreted from time to time, by competent legislative, regulatory or judicial authority, and as being encompassed by Section (6802)(e) of the GLBA and the United States Federal Trade Commission rules promulgated thereunder:
• As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer;
• To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
• For required institutional risk control, or for resolving consumer disputes or inquiries;
• For use solely in conjunction with a legal or beneficial interest held by Subscriber and relating to the consumer;
• For use solely in Subscriber's fiduciary or representative capacity on behalf of, and with the implied or express consent of, the consumer;
• To the extent specifically permitted or required under laws other than the GLBA, and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, to self-regulatory organizations, or for an Investigation on a matter related to public safety; or
• To comply with federal, state, or local laws, rules, and other applicable legal requirements.
4. DPPA Certification. If Subscriber receives Data subject to DPPA, Subscriber hereby certifies that it will request, obtain, and use such Data only for one of the following permitted uses under the DPPA:
• Use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a federal, state, or local agency in carrying out that agency's functions.
• Use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to verify the accuracy of personal Information submitted by the individual to the business or its agents, employees, or contractors; and, if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against the individual.
• Use in connection with any civil, criminal, administrative, or arbitration proceeding, in any federal, state. or local court or agency, or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state, or local court.
• Use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating, or underwriting.
• Use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49, U.S. Code.
• Use by any licensed private investigative agency or licensed security service for any purpose described above.
5. Certification as to Use. Subscriber agrees not to use the Data, in whole or in part, for consumer credit purposes, consumer insurance underwriting, employment purposes, tenant screening purposes, or for any other purpose(s) covered by the Federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) ("FCRA”) or similar state statute. Subscriber agrees not to take any adverse action (as such term is used in the FCRA) based, in whole or in part, upon the information.
Certification Acknowledgement. Subscriber hereby certifies, acknowledges and agrees to comply with its responsibilities under the Gramm-Leach-Bliley Act of 1999 (GLBA Act), The Driver's Privacy Protection Act (DPPA) and The Federal Fair Credit Reporting Act (FCRA).