1. Services. Faces & Voices of Recovery shall provide Software services for purposes of collection, retention, analysis, and reporting of data related to recovery (“Services”) to the Client as described on one or more Statements of Work signed by Faces & Voices of Recovery and Client that reference this Agreement (“SOW” or “Statement of Work”). Faces & Voices of Recovery shall perform Services in an ongoing manner and begin delivery of the service (“Deliverable”) no later than the due date specified in the applicable SOW (“Launch Date”). This due date is subject to change in accordance with the Change Order process defined in the applicable SOW. Client shall assist Faces & Voices of Recovery by promptly providing all information requests known or available and relevant to the Services in a timely manner.

2. Contract Price. For performance of the Services and rendering the Deliverable, Client shall pay to Faces & Voices of Recovery all fees due under the applicable SOW.

3. Deposit. An initial payment (the “Deposit”) of the first 12 months of recurring fees ( 100%) is due to Faces & Voices of Recovery at signing. In the event service is active at time of contract launch, full payment for the yearly agreed upon price is required.

4. Dates of Performance. Faces & Voices of Recovery will begin performing services upon receipt of signed Agreement and Deposit. Unless terminated as provided in this Agreement, Faces & Voices of Recovery will begin Services by the Launch Date. Deliverable shall be furnished to Client within 72 hours of final payment for the first year of Services. Services will automatically renew one month prior to end of first year of agreement for an additional year.

5. Change in Services. If Client desires changes to the SOW, Client shall submit to Faces & Voices of Recovery a written request in accordance with the change order process defined in the applicable SOW. The parties may execute additional Statements of Work describing Services, which will become part of this Agreement upon execution by Faces & Voices of Recovery and the Client. If an additional SOW is executed, then Client shall pay Faces & Voices of Recovery for all services performed prior to the additional SOW before Faces & Voices of Recovery begins work on the new SOW.

6. Termination. Faces & Voices of Recovery shall have the right to modify, reject, or terminate any SOW and any related work in process with thirty days written notice to Client. In the event Faces & Voices of Recovery terminates the SOW prior to completion of Services, the Client shall pay Faces & Voices of Recovery the fees due under the SOW with respect to Services completed as of the date of termination. Payment for completed work will be deducted from the deposit. Any amount due for services performed by Faces & Voices of Recovery above the deposit will be billed to Client and Client shall promptly pay. Upon settlement of funds due to Faces & Voices of Recovery, all Client provided materials will be returned to Client and all Client use rights in the work in process as described in Section 9 will be transferred to Client.

7. Payment of Services. In exchange for Faces & Voices of Recovery’s Services under this Agreement, the Client shall pay Faces & Voices of Recovery the contract price and deposit set forth above. Faces & Voices of Recovery will submit a final invoice to Client for all services rendered by the Services Completion Date and Client shall promptly pay. Client is restricted from using any form of the Deliverable until final payment is received. Client shall pay travel and other expenses incurred by Faces & Voices of Recovery in performing the Services. In the event of a good faith dispute with regard to an item appearing on an invoice, Faces & Voices of Recovery shall have the right to withhold the Deliverable while the parties attempt to resolve the disputes.

8. Representations and Warranties.

a. Faces & Voices of Recovery’s Representation: Faces & Voices of Recovery represents that any materials used in the Deliverable will not knowingly (a) infringe on the intellectual property rights of any third party or any rights of publicity or privacy or (b) violate any law, statute, ordinance or regulation. b. Client’s Representation: Client represents that any materials provided to Faces & Voices of Recovery by Client for incorporation into the Deliverable will not (a) infringe on the intellectual property rights of any third party or any rights of publicity or privacy or (b) violate any law, statute, ordinance or regulation. c. Warranty Disclaimer. EXCEPT FOR THE WARRANTIES SET FORTH IN THIS AGREEMENT AND ANY SOW, EACH PARTY EXPRESSLY DISCLAIMS ANY AND ALL OTHER WARRANTIES OF ANY KIND OR NATURE, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

9. Confidentiality. The Parties agree to maintain and keep confidential, and shall cause their respective affiliates, officers, directors, trustees, employees, agents, consultants and representatives to keep confidential, this Agreement, any and all information, including, but not limited to, pricing, data, formulas, trade secrets, techniques, inventions (whether or not patentable), and Protected Health Information (“PHI”), derived from its relationship with the other (collectively “Confidential Information”) in connection with this Agreement. Each Party agrees to: (i) maintain the Confidential Information in trust and confidence; (ii) use at least the same degree of care in maintaining the secrecy of the Confidential Information as the receiving Party uses in maintaining the secrecy of its own proprietary, secret, or confidential information, but in no event with less than a reasonable degree of care; (iii) use Confidential Information only to complete its duties and obligations under this Agreement; (iv) refrain from using or disclosing such Confidential Information unless it does so with prior written consent from the disclosing Party, except that a Party may disclose Confidential Information to its representatives and professional advisors, and (v) return or destroy all documents, copies, notes or other materials containing any Confidential Information, upon termination or expiration of the Agreement or upon the written request of the disclosing Party, subject to the Business Associate Addendum, if applicable. With the exception of PHI, which must remain confidential at all times, the receiving Party shall have no obligation concerning any portion of the Confidential Information which: (a) was known to the receiving Party, under no obligation of confidentiality, before receipt from the disclosing Party; (b) is lawfully obtained by the receiving Party from other than the disclosing Party under no obligation of confidentiality; (c) is or becomes publicly available other than as a result of an act or failure to act by the receiving Party; or (d) is required to be disclosed by the receiving Party by applicable law or legal process; provided, however, that a receiving Party must give the disclosing Party reasonable advance notice of any legally required disclosure so that the disclosing Party has an opportunity to challenge any request or order to disclose Confidential Information.

10. Security and Privacy Rules. Faces & Voices agrees to comply with all applicable current and future regulations governing the privacy of substance abuse set forth at 42 CFR Part 2 and the Health Insurance Portability and Accountability Act of 1996 as codified at 42 USC§1320(d) (“HIPAA”) as either may be amended from time to time, including revisions to HIPAA per the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, as specified in the Business Associate Addendum which shall be attached as Exhibit B hereto and incorporated by reference into this Agreement.

11. Software License. To the extent that the product is software, or otherwise requires Faces & Voices licensed software in order to be operable (“Software”), Faces & Voices hereby grants to _______________________ a nonexclusive license and the right during the Term to use the Software. Faces & Voices warrants and represents that it has obtained the rights from those third parties necessary to vest in or grant to _____________ the various license rights necessary under this Agreement.

12. Ownership of Deliverables. “Intellectual Property Rights” means any and all (a) rights associated with works of authorship, including but not limited to copyrights, (b) trademark and trade name rights and similar rights, (c) trade secret rights, (d) patents and (c) all other intellectual property rights in any jurisdiction throughout the world. To the fullest extent permitted by law, Faces & Voices of Recovery retains ownership in all Intellectual Property rights of the Deliverable. Further, Faces & Voices of Recovery retains all ownership and Intellectual Property Rights to the raw video footage, music, images, and other components comprising the Deliverable for its future use. Upon full payment of the deliverable, Faces & Voices of Recovery grants Client a perpetual, non-exclusive and non- transferable license to use, copy, reproduce, display, or distribute the Deliverable. Client shall retain sole ownership of all Intellectual Property Rights in connection with any original material it provides to Faces & Voices of Recovery for use within the Deliverable. If termination occurs under Section 6, Faces & Voices of Recovery shall retain ownership in all Intellectual Property Rights and to the raw video footage, music, images, and other components comprising the work in process up to the date of termination. After a termination under Section 6 and upon full payment for the work in process, Faces & Voices of Recovery will grant Client a perpetual, non-exclusive and non-transferable license to use, copy, reproduce, display, or distribute the work in process. In no event will Faces & Voices of Recovery be liable for any claims related to or arising from Client’s improper use of the Deliverable, work in process, images, and other components that comprise the Deliverable or work in process.

13. Indemnification. Client will defend, indemnify and hold Faces & Voices of Recovery harmless from any and all claims, losses, liabilities, damages, expenses and costs (including attorneys’ fees and court costs) arising from or relating to any claims regarding elements or materials provided by Client and incorporated into the Deliverable. Additionally, Client will defend, indemnify and hold Faces & Voices of Recovery harmless from any and all claims, losses, liabilities, damages, expenses and costs (including attorneys’ fees and court costs) arising from or relating to any claims regarding Client’s unauthorized use of any music, images, or other materials comprising the Deliverable.

14. Ownership of CLIENT Information. All documents, records, data, and other information not developed or licensed by Faces & Voices of Recovery prior to execution of this Contract, but specifically developed and maintained under this Contract shall be considered the property of CLIENT. Use of these materials, other than related to contract performance by Faces & Voices of Recovery, pursuant to an executed End User License Agreement (“EULA”) or without the prior written consent of CLIENT, is prohibited.

a. Faces & Voices of Recovery shall provide CLIENT full, immediate, and unrestricted access to CLIENT information during the term of this Contract. b. Faces & Voices of Recovery shall provide CLIENT with routine access to backup CLIENT information and data held by Faces & Voices of Recovery. c. Faces & Voices of Recovery shall not store or otherwise house CLIENT data outside the confines of the continental United States.

15. Limitation of Liability. FACES & VOICES OF RECOVERY WILL NOT BE LIABLE FOR ANY LOSS OF USE, INTERRUPTION OF BUSINESS, LOST PROFITS, OR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT PRODUCT LIABILITY, OR OTHERWISE, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL FACES & VOICES OF RECOVERY’S AGGREGATE LIABILITY UNDER THIS AGREEMENT EXCEED THE FEES PAID TO FACES & VOICES OF RECOVERY HEREUNDER.

16. Compliance with Laws. Each party shall perform all of its obligations under this Agreement in compliance at all times with all foreign, federal, state and local statutes, orders and regulations, including those relating to privacy and data protection.

17. General. Neither party may assign this Agreement without the prior written consent of the other party and any attempt to do so will be void. Any notice or consent under this Agreement will be in writing to the address specified below. If any provision of this Agreement is adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect. Any waivers or amendments shall be effective only if made in writing signed by a representative of the respective parties. Both parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties, and supersedes and cancels all previous written and oral agreements and communications relating to the subject matter of this Agreement. Both parties agree that the Agreement is signed by a duly, authorized Faces & Voices of Recovery representative authorized to bind the Faces & Voices of Recovery to its terms and services and no consent from any third party is required.

18. Assignment and Subcontracting. Neither Party may assign or transfer this Agreement or any of its obligations hereunder to a third party without the written consent of the other Party. Any attempted assignment without such consent shall be void. This Agreement shall binding upon, and inures to the benefit of, the Parties and all permitted successors and assigns. No portion of the performance of this Agreement may be delegated, subcontracted, or “outsourced” to an individual or business entity not subject to the laws of the United States. Notwithstanding anything to the contrary, Faces & Voices is and will remain responsible for its subcontractors’ compliance with this Agreement.

19. Force Majeure. A Party shall not be liable for failure to perform any duty or obligation under this Agreement, where such failure has been occasioned by any acts of God, civil or military authority, acts of terror, war, fires, explosions, earthquakes, floods, failure of transportation, strikes or other work interruptions by a Party’s employees, or any other causes beyond the reasonable control of a Party; provided, however, in the event the provision of services is substantially interrupted, either Party shall have the right to terminate this Agreement upon five (5) days prior written notice to the other. Upon cessation of the force majeure, this Agreement and all related Agreements, including any EULA and BAA shall terminate unless required to continue by law or other terms of the Parties Agreements.

20. Choice of Law. This Agreement will be deemed to have been made in, and shall be construed pursuant to the laws of the District of Columbia and the United States without regard to conflicts of laws provisions thereof. Any suit or proceeding arising out of or relating to this Agreement shall be commenced in a federal or state court in Washington, D.C., and each party irrevocably submits to the jurisdiction and venue of such courts.

21. Remedies. Faces & Voices of Recovery reserves all remedies available at law or equity for any disputes that arise under this Agreement. In the event of a suit or proceeding under this Agreement, Client agrees to pay all attorneys’ fees if the federal or state court renders judgment substantially in Faces & Voices of Recovery’s favor.

22. Waiver. The failure of a Party to strictly enforce any provision of this Agreement will not be construed as a waiver thereof or as excusing the defaulting Party from future performance. Any waiver of any of the covenants, conditions, or provisions of this Agreement must be in writing and signed by a duly authorized representative of the Party against whom enforcement of such waiver is sought. One or more waivers of any covenants, conditions, or provisions of this Agreement shall not be construed as a waiver of a subsequent breach or of any other covenant, condition or provision.

23. Invalidity or Unenforceability. If any term, covenant, condition, or provision hereof is illegal, or the application thereof to any person or in any circumstance shall, to any extent, be invalid or unenforceable, as finally adjudicated by a court of competent jurisdiction, the remainder of this Agreement, or the application of such term, covenant, condition, or provision to persons or in circumstances other than those with respect to which it is held invalid or unenforceable, shall not be affected thereby, and each term, covenant, condition, and provision of this Agreement shall be valid and enforceable to the fullest extent permitted by law.

24. Survival. Any provision of this Agreement that, by its language, contemplates performance or observation subsequent to any termination or expiration of this Agreement shall survive such termination or expiration and shall continue in full force and effect.

25. Requirements. In exchange for the software license at the agreed upon fee, all organizations that use the software will be required to collect a few pieces of mission critical data:

a. Engagement Scale Assessment forms completed with program participants receiving peer recovery support services weekly or at each interaction, whichever interval is greater.
b. Recovery Capital Assessments completed every 6 months with engaged program participants.

26. Entire Agreement, Counterparts, and Amendments. This Agreement and any exhibits, addenda, and schedules properly incorporated from time to time are the complete agreement and shall supersede any and all prior and contemporaneous understandings and agreements either oral or in writing between Faces & Voices and ______________. This Agreement shall supersede and control all other quotations, purchase orders, statements of work, and/or representations (whether written or oral) between the Parties or between Faces & Voices and any Hospital. Any documentation (including, as applicable, Faces & Voices terms and conditions) that conflicts with, or attempts to modify, this Agreement in any way shall be rejected and of no effect unless specifically agreed to in writing between the Parties. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Signatures to the Agreement transmitted by facsimile transmission, or by electronic mail in “portable document format” (“.pdf”), will have the same effect as physical delivery of the paper document bearing the original signature. Any amendment or modification to this Agreement must be in writing and signed by the Parties. Each Party acknowledges that this Agreement has been the subject of active and complete negotiations, and that this Agreement should not be construed in favor of or against any Party by reason of the extent to which any Party or its professional advisers participated in the preparation of this Agreement.

The following terms describe the intended use within this Addendum and the Agreement:

“Designated Record Set” is a group of records maintained by or for Covered Entity that includes: (a) the medical records and billing records about individuals maintained by or for a health care provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (c) used, in whole or in part, by or for Covered Entity to make decisions about individuals.

“HIPAA Rules” include the Health Insurance Portability and Accountability Act (HIPAA) and HITECH ACT rules for Privacy, Security, Breach Notification and Enforcement at 45 C.F.R Part 160 and Part 164 The following terms used in this Addendum shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Disclosure, Minimum Necessary, Protected Health Information (PHI), Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Uses and Disclosures.

1. Business Associate Assurances. In the event Business Associate creates, receives, maintains, or otherwise is exposed to personally identifiable or aggregate patient or other medical information defined as Protected Health Information ("PHI") in HIPAA Rules and otherwise meets the definition of a Business Associate as defined in the HIPAA Privacy Standards (45 CFR Parts 160 and 164), Business Associate acknowledges that it has a statutory duty under HIPAA / HITECH to, among other duties, use and disclose PHI only in compliance with 45 CFR §164.504(e) (the provisions of which have been incorporated into the Agreement), 45 CFR §164.308 (Security Standards), 45 CFR §164.310 (Administrative Safeguards), 45 CFR §164.312 (Technical Safeguards), and 45 CFR §164.316 (Policies and Procedures and Documentation Requirements), as amended from time to time. Business Associate acknowledges that its failure to comply with these or any other statutory duties could result in civil and/or criminal penalties under 42 USC §§1320d-5 and 1320d-6.

2. Obligations of Business Associate:
    (a) Uses and Disclosures of Protected Health Information (PHI). As a Business Associate to Covered Entity, the Business Associate is required to ensure that its directors, officers, employees, contractors and agents do not use or disclose PHI received from Covered Entity or another party or created on behalf of Covered Entity as maintained in a Designated Record Set in any manner other than as defined by the Agreement and this Addendum, including a manner that would constitute a violation of the HIPAA Rules if so used or disclosed by Covered Entity. Business Associate may use and disclose the minimum necessary PHI according to Covered Entity minimum necessary policies and procedures to carry out its duties and obligations under the Agreement, which may be amended from time-to-time to include other duties and obligations related to PHI, or use or disclose PHI as required by law. In addition, Business Associate may use PHI for its own management and administration provided the disclosures are required by law, or obtain the prior consent of Covered Entity, which consent shall not be unreasonably withheld. In instances where the disclosure of PHI is not required by law, Business Associate shall obtain reasonable assurances from the person to whom the PHI is disclosed that the information remain confidential and used or re-disclosed only as required by law or for the purpose for which it was disclosed. Furthermore, Business Associate shall require the person to immediately notify Business Associate of any instances of which it is aware that a breach of confidentiality occurred. Business Associate may only de-identify and perform data aggregation of Covered Entity's PHI if expressly permitted to do so under the health care operations requirements of the Agreement. Any duty to de-identify Covered Entity PHI must comply with the HIPAA Rules process requirements for de-identification.
    (b) Safeguards Against Misuse or Wrongful Disclosure of Protected Health Information. Business Associate agrees that it will use reasonable and appropriate administrative, physical and technical safeguards pursuant to the HIPAA Rules to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement, this Addendum, or as required by law.
    (c) Reporting of Wrongful Disclosures of Protected Health Information. A breach or suspected breach of unsecured PHI must be reported to Covered Entity on the first day that the breach is known to the Business Associate. A breach or suspected breach of secured PHI must be reported to Covered Entity within five (5) business days of the Business Associate becoming aware of an unauthorized disclosure or use of the PHI. A suspected breach entails events that a Business Associate exercising reasonable diligence would believe that a breach could occur. Where a breach occurs in violation of the Agreement, this Addendum, or law, the Business Associate shall report the wrongful disclosure to Covered Entity’s Privacy Officer. Covered Entity's Privacy Officer will determine Business Associate's responsibilities in a breach notification to its patients.
    (d) Agreements with Subcontractors or Agents. If Business Associate enters into an agreement with any agent or subcontractor in fulfillment of its obligations under the Agreement and the agent or subcontractor will have access to PHI, Business Associate must assure that agent or subcontractor agrees to the same restrictions, conditions, and requirements that apply to the Business Associate under the Agreement and this Addendum.
    (e) Access to Protected Health Information. Business Associate shall notify Covered Entity within fifteen (15) calendar days of a request by a patient for access (inspection or receipt of a copy) to PHI in its possession. The Parties agree to arrange for inspection and copying of the information as requested by the patient in compliance with Covered Entity’s privacy practices, policies, HIPAA Rules, and Michigan law, including charging the patient for photocopying. Covered Entity is responsible to respond to the patient’s request for access to PHI.
    (f) Amendment of Protected Health Information. Business Associate shall notify Covered Entity within fifteen (15) calendar days of receipt of a request by a patient to amend any PHI in its possession. Any patient request to amend PHI shall follow Covered Entity’s privacy policies, practices, HIPAA Rules, and Michigan law. The Parties agree that Covered Entity shall be responsible to respond to the patient’s request for amendment; Business Associate may amend PHI only upon the express written direction of Covered Entity.
    (g) Accounting of Disclosures.Business Associate may only disclose PHI as described in the Agreement and Section 1 above. Furthermore, Business Associate shall provide to Covered Entity the following information within fifteen (15) calendar days of receipt of Covered Entity’s request for an accounting of all disclosures made of a patient’s PHI: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure. In the event a patient requests an accounting of disclosures of his or her PHI directly from Business Associate, Business Associate shall within five (5) business days forward such request to Covered Entity. Covered Entity is responsible to respond to such request.
    (h) Availability of Books and Records. Business Associate agrees to make its HIPAA practices, books and records, including policies and procedures relating to the use and disclosure of PHI received from Covered Entity or another party on Covered Entity’s behalf or created on Covered Entity’s behalf available to the Secretary during normal business hours for purposes of determining Covered Entity’s compliance with the HIPAA Rules. Business Associate shall promptly notify Covered Entity’s Privacy Officer if the Secretary requests access to its practices, books or records, and allow Covered Entity to review the same practices, books or records provided to the Secretary. In addition, Business Associate shall make available to Covered Entity’s Privacy Officer, subject to a privacy investigation, such HIPAA related practices, books, and records including policies and procedures relating to the use and disclosure of PHI under the Agreement.
    (i) Electronic PHI Data Security. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that it creates, receives, maintains or transmits to or on behalf of Covered Entity as required by the HIPAA Rules. Business Associate further agrees to ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect the information. Business Associate agrees to promptly report to Covered Entity any security incident which includes, under HIPAA Rules, the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operation of which Business Associate becomes aware.
    (j) Term and Termination Upon Breach of Provisions Applicable to Protected Health Information. The term of this Addendum shall be the same term of the Agreement. The Agreement may be terminated by Covered Entity in response to a material breach by Business Associate of its obligations hereunder after providing Business Associate a thirty (30) calendar day period in which to cure the breach. If cure is not possible, Covered Entity may immediately terminate the Agreement. However, if the material breach by Business Associate pertains to a use or disclosure of PHI not otherwise permitted herein, Business Associate shall use its best efforts to cure the breach within five (5) business days, but shall have up to ten (10) business days to cure the breach. Furthermore, in the event that termination of the Agreement is not feasible, Business Associate acknowledges that Covered Entity shall have the right to report the breach to the Secretary of the U.S. Department of Health and Human Services.
    (k) Return, Retention, Destruction or Transfer of Protected Health Information upon Termination. Upon termination of the Agreement, Covered Entity and Business Associate shall mutually determine whether Business Associate is to return, destroy, retain or transfer all PHI in any form in its possession. If Business Associate is required to retain PHI, the terms and conditions of this Addendum shall survive termination of the Agreement, and such PHI shall be used or disclosed solely for the purpose or purposes which prevented the return or destruction of the PHI. If Business Associate is required to return PHI to Covered Entity, destroy PHI or transfer/transmit PHI to another business associate, it shall not keep a copy of the PHI. Furthermore, if Business Associate is required to destroy PHI it shall use reasonable methods of destruction to assure that a breach of confidentiality does not occur during the process, and Business Associate shall provide a written certification of the destruction process to Covered Entity.     (l) Training. Business Associate agrees to provide adequate training to its employees and subcontractors to ensure compliance with HIPAA and the HITECH Act.
    (m) Marketing. Business Associate shall use and disclose PHI for marketing purposes only as expressly directed by Covered Entity, and in accordance with sec. 13406(a) of the HITECH Act.
    (n) Sale of PHI and EHRs. Business Associate is prohibited from selling EHRs and PHI in accordance with sec. 13305(d) of the HITECH Act.
    (o) Business Associate’s Agents. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
    (p) Changes in Laws and Regulations and Compliance with Laws. Covered Entity and Business Associate agree to amend this Addendum as required to comply with any changes in laws, rules or regulations which affect the privacy and security of PHI and the Business Associate's duties under the Agreement and/or this Addendum. Furthermore, Business Associate agrees to cooperate with Covered Entity, as applicable, related to any other federal laws or regulations that affect PHI, such as any rules related to identify theft.

3. Obligations of Covered Entity.
    (a) Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.
    (b) Covered Entity shall notify Business Associate of any changes in or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect the Business Associate’s use or disclosure of protected health information.
    (c) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s user or disclosure of protected health information.
    (d) Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR part 164 if done by Covered Entity.

4. No Third Party Beneficiaries. The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third party beneficiaries.

5. De-Identified Data. Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.

6. Amendment. Business Associate and Covered Entity agree to amend this Agreement to the extent necessary to allow either party to comply with the Privacy Standards, the Standards for Electronic Transactions, the Security Standards, or other relevant state or federal laws or regulations created or amended to protect the privacy of patient information. All such amendments shall be made in a writing signed by both parties.

7. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the then most current version of HIPAA and the HIPAA privacy regulations.


WHEREFORE, the Parties hereto execute this Addendum.