This Service Level Agreement (“SLA ”) describes the service levels (the “Service Levels”) applicable to the subscription services provided by Youthful MD, LLC. (“Youthful MD ”) for the Service provided pursuant to the Subscription Services Agreement (“SSA”) between the parties.
- System Availability” will mean, with respect to any particular calendar month, the ratio obtained by subtracting Unscheduled Downtime during such month from the Total Time during such month, and thereafter dividing the difference so obtained by the total time during such month.
- "System Uptime” will mean the total amount of time during any calendar month, measured in minutes, during which Customer has the ability to access the features and functions of the Service as contemplated in this Subscription Services Agreement.
- "Scheduled Downtime” will mean the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access the Service due to planned system maintenance performed by Youthful MD or its subcontractors. Youthful MD will exercise reasonable efforts to perform scheduled system maintenance between the hours of 8:00 PM and 6:00 AM Eastern Standard Time, and to provide notice to Customer at least twenty-four (24) hours in advance of a planned system maintenance.
- “Total Monthly Time” is deemed to include all minutes in the relevant calendar month, to the extent such minutes are included within the term of the Subscription Services Agreement
- “Customer” means either you as an individual, or a corporate entity or other business organizations to whom Youthful MD provides the Service for use by itself or by Authorized End Users. The term Customer is deemed to include Authorized End Users.
- System Availability. Youthful MD will undertake commercially reasonable measures to ensure that System Availability equals or exceeds 99.5% during each calendar month (the “Service Standard”), provided that any Unscheduled Downtime occurring as a result of (i) Customer’s breach of any provision of the Agreement; (ii) non-compliance by Customer with any provision of this SLA; (iii) incompatibility of Customer’s equipment or software with the Service; (iv) performance of Customer’s Systems; (v) force majeure, as defined in Section 11.5 of the Subscription Services Agreement, or (vi) issues with the internet backbone provider, Third Party Hosting Provider or general network connectivity shall not be considered toward any reduction in System Availability measurements. Youthful MD will not be liable for any lost revenues during down time.
- Access to Support; Response Times. Customer may report Unscheduled Downtime at any time by email at support@YouthfulMD.com and by telephoning Youthful MD during normal “Business Hours” (9:00 AM to 5:00 PM Eastern Standard Time, Monday through Friday, excluding Youthful MD holidays) at +1 855-411-2225.
Youthful MD will exercise commercially reasonable efforts to initiate remedial activity within two (2) hours of each report of Unscheduled Downtime during Business Hours for issues affecting connectivity and Server Availability. During non-Business Hours, Youthful MD will initiate remedial activity within one (1) day for issues affecting connectivity and Server Availability.
- System Monitoring and Measurement. Youthful MD will provide for monitoring of System Availability on an ongoing basis. All measurements of System Availability will be calculated on a monthly basis for each calendar month during the term of the Subscription Services Agreement.
- Customer Obligations. Customer is responsible for maintenance and management of its computer network(s), servers, software, and any equipment or services related to maintenance and management of the foregoing. Customer is responsible for correctly configuring its systems in accordance with any instructions provided by Youthful MD, as may be necessary for provision of access to the features and functions of the Service.
- Non-Performance by Customer. The obligations of Youthful MD set forth in this SLA will be excused to the extent any failures to meet such obligations result in whole or in part from Customer’s or its user’s failure(s) to meet the foregoing obligations.
BUSINESS ASSOCIATE AND CONFIDENTIALITY AGREEMENT
In the event Customer is a “Covered Entity” and Youthful MD is a “Business Associate” (jointly, the “Parties”), the Parties hereby enter into this Business Associate and Confidentiality Agreement (“BAA”). Recitals
- Covered Entity has retained Youthful MD to provide certain products and services (the “Service”), as set forth in the Subscription Services Agreement and the Service Level Agreement in place between the Parties (collectively, the “Services Agreement ”).
- The Parties’ performance under the Services Agreement may or will require Covered Entity to disclose and/or provide to Business Associate private and/or protected health and/or medical information as defined under, and governed by, applicable state law, and Individually Identifiable Health Information and/or Protected Health Information as defined in the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and/or regulations promulgated under such laws (state law, HIPAA, and HITECH are hereafter referred to collectively as “Privacy Laws”) and may or will require Youthful MD to receive, access, review, maintain, retain, modify, record, store, forward, produce, hold, use, create, disclose, and/or destroy such information (the “PHI”).
- Youthful MD ’s performance of the Service may give rise to certain legal obligations under Privacy Laws and Youthful MD may be considered a “Business Associate” and Customer may be a “Covered Entity” as those terms are defined in 45 C.F.R. § 160.103. Accordingly, the parties hereto (“Parties ”) agree to the terms and conditions set forth below:
Terms of Business Associate Agreement
PERFORMANCE AND COMPLIANCE WITH LAW.
The Parties will work together in good faith to determine applicability of Privacy Laws, and they agree to comply with applicable Privacy Laws and to amend this BAA as necessary for Covered Entity and Business Associate to comply with applicable Privacy Laws, as modified and/or supplemented from time to time.
Any ambiguity herein must be resolved in favor of a meaning that permits both Covered Entity and Business Associate to comply with applicable Privacy Laws, consistent with the Services Agreement. Capitalized terms not specifically defined in this BAA have the meanings assigned to them under 45 C.F.R. Parts 160, 162 and 164.
OWNERSHIP OF PHI.
All patient data provided to Business Associate by Covered Entity shall be considered the property of the respective patient, except to the extent to which applicable law requires that such patient data is the property of Covered Entity. This BAA will not apply to de-identified PHI.
PRIVILEGES AND PROTECTIONS
This BAA does not constitute or evidence a waiver of, nor does it amend, the attorney-client privilege, the attorney work-product doctrine, and/or any other applicable privileges or protections.
BUSINESS ASSOCIATE’S OBLIGATIONS
- PERFORMANCE AND COMPLIANCE WITH LAW. . The Parties will work together in good faith to determine applicability of Privacy Laws, and they agree to comply with applicable Privacy Laws and to amend this BAA as necessary for Covered Entity and Business Associate to comply with applicable Privacy Laws, as modified and/or supplemented from time to time.
- INTERPRETATION. Any ambiguity herein must be resolved in favor of a meaning that permits both Covered Entity and Business Associate to comply with applicable Privacy Laws, consistent with the Services Agreement. Capitalized terms not specifically defined in this BAA have the meanings assigned to them under 45 C.F.R. Parts 160, 162 and 164.
- OWNERSHIP OF PHI. All patient data provided to Business Associate by Covered Entity shall be considered the property of the respective patient, except to the extent to which applicable law requires that such patient data is the property of Covered Entity. This BAA will not apply to de-identified PHI.
- PRIVILEGES AND PROTECTIONS. This BAA does not constitute or evidence a waiver of, nor does it amend, the attorney-client privilege, the attorney work-product doctrine, and/or any other applicable privileges or protections.
- BUSINESS ASSOCIATE’S OBLIGATIONS.
- PERFORMANCE AND COMPLIANCE WITH LAW.Handling of the PHI and Safeguards. Business Associate will endeavor to prevent access, use and/or disclosure of PHI other than as permitted or required by this BAA, the Services Agreement, and/or applicable Privacy Laws, and will implement and use, at all times, appropriate administrative, physical and technical safeguards designed to (i) prevent access, use or disclosure of PHI other than as permitted by this BAA and/or Privacy Laws; and (ii) reasonably and appropriately protect the confidentiality, integrity, security, and availability of PHI.
- Minimum Necessary Use and Disclosure. Business Associate will determine the amount of PHI necessary for performance of the Service and will make reasonable efforts to limit the receipt, use, and disclosure of PHI to the minimum necessary as required by Privacy Laws.
- Management and Administration. In using and/or disclosing PHI for management and administrative purposes, Business Associate will comply with all applicable Privacy Laws and with Covered Entity’s obligations under subpart E of 45 CFR Part 164.
- Disclosures to Subcontractors and/or Third Parties.
Prior to disclosing any PHI to any third
persons and/or entities, Business Associate shall ensure that all representatives,
subcontractors, persons and/or entities (other than entities that are merely conduits) to
whom Business Associate discloses or provides the PHI execute a written Business Associate
Agreement, as required by Privacy Laws, in which such third persons and/or entities
expressly agree to the same restrictions and conditions that apply to Business Associate
hereunder, to the extent required by Privacy Laws. If a Business Associate Agreement is not
required by the Privacy Laws, Business Associate shall obtain reasonable assurances from all
persons and entities who have access to or are recipients of the PHI that: (i) the PHI will
be held confidential and used or further disclosed only as required by law or for the
purposes for which it was disclosed to the third party; and (ii) the third party will
promptly notify Business Associate of any Compromise of PHI, and Business Associate will, in
turn, notify Covered Entity.
- Pursuant to applicable state law requirements to allow individuals to request the disclosure of their PHI to third parties, HIPAA’s authorization requirements for the use and/or disclosure under 45 C.F.R. § 164.508, and the Records Administration Service provided in Section 11.2(e) of the Services Agreement, Business Associate will respond directly to any individual’s authorization to disclose his or her PHI to a third party, including, but not limited to, the disclosure of such PHI to a third party
- Access to, or Amendment of, PHI. To the extent Business Associate
maintains any PHI in a Designated Record Set, Business Associate agrees:
- to provide access to the PHI in a Designated Record Set to authorized individuals as required by Privacy Laws and in the time, manner, and format designated by such individuals to the extent required by Privacy Laws
- to respond directly to any such authorized individual’s request for access to his or her PHI in a Designated Record Set pursuant to the Records Administration Service provided in Section 11.2(e) of the Services Agreement and 45 C.F.R. 164.525; and
- to make any amendment(s) to PHI in a Designated Record Set as requested by Covered Entity and/or authorized individuals pursuant to 45 C.F.R. § 164.526.
- Restrictions on PHI. Business Associate will comply with any patient restrictions on the Use and Disclosure of PHI reasonably requested by Covered Entity under Section 6.2 below.
- Reporting Breaches and Security Incidents. Within five (5) days of obtaining knowledge thereof, Business Associate will promptly report to Covered Entity any impermissible use or disclosure under Privacy Laws that compromises the security or privacy of the PHI (“Breach”) and any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that does not compromise the security or privacy of the PHI (“Security Incidents”). Notice is hereby deemed provided, and no further notice will be given, with respect to routine unsuccessful attempts at unauthorized access to ePHI such as pings and other broadcast attacks on firewalls, denial of service attacks, failed login attempts, and port scans. Business Associate will identify and respond internally to suspected or known Security Incidents, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide such documentation to Covered Entity upon request.
The Parties will meet and confer in good faith before notifying affected individuals and/or commencing any legal action regarding any suspected or actual Breach or Security Incident and/or breach of this BAA, so long as doing so will not constitute a violation of Privacy Laws and shall comply with applicable Privacy Laws regarding the need for and nature of any notification.
If the Parties are unable to agree during their meet and confer, Business Associate will not be responsible for any notification obligations under Privacy Laws, and specifically, without limitation, obligations under section 13402 of HITECH.
- Accounting of PHI Disclosures. At the request of Covered Entity, Business Associate will document and report to Covered Entity all disclosures of PHI that are required for Covered Entity to provide an accounting under 45 C.F.R. § 164.528 and/or Privacy Laws. If an individual contacts Business Associate directly for such an accounting, Business Associate will direct the individual to contact Covered Entity.
- Audits and Inspections. Business Associate will make its internal practices, books, and such records as are not protected by applicable legal privilege or work product protection relating to the use, disclosure, and/or compromise of PHI available to Covered Entity to determine compliance with applicable Privacy Laws and this BAA, and to the Secretary of the United States, Department of Health and Human Services, and/or other authorized lawful authority as required by law or authorized by Covered Entity in writing.
- Sale and Use of PHI for Fundraising and/or Marketing. Subject to Covered Entity obtaining the requisite consents and/or authorizations, Business Associate may receive remuneration in exchange for using and/or disclosing PHI for Fundraising and/or Marketing purposes.
- COVERED ENTITY’S OBLIGATIONS.
- Authorizations. Covered Entity will obtain all consents and authorizations necessary and/or required by law for both parties to perform under the Services Agreement, including Business Associate’s communications with patients on Covered Entity’s behalf if applicable, and for both parties to fulfill their obligations under applicable Privacy Laws and this BAA.
- Restrictions and Revocations. Covered Entity will promptly notify Business Associate in writing of any patient-requested restrictions, changes to, or revocation of, consent and/or authorization to use and/or disclose PHI that may affect Business Associate’s ability to perform its obligations under this BAA and/or the Services Agreement.
- Notice of Privacy Practices. Covered Entity will promptly provide Business Associate a copy of its Notice of Privacy Practices (NOPP”) under Privacy Laws, including without limitation 45 C.F.R. § 164.520, and any changes to the NOPP that may affect Business Associate’s use and/or disclosure of PHI, performance of this BAA, and/or the Services Agreement.
- Accounting of PHI Disclosures. Covered Entity will include in individual accountings requested under the Privacy Laws, including without limitation, 45 C.F.R. § 164.528, any disclosures by Business Associate.
- Meet and Confer. Upon any suspected or actual Breach, unauthorized use and/or disclosure of the PHI or breach of this BAA, Covered Entity will meet and confer in good faith with Business Associate before notifying affected individuals and/or commencing any legal action, so long as doing so will not constitute a violation of Privacy Laws.
TERM AND TERMINATION
- Term. The term of this BAA will commence upon receipt by Business Associate of any PHI, or the date set forth below, whichever is earlier, and will terminate upon discharge of Business Associate’s obligations under the Services Agreement and this BAA, including the obligations set forth in Section 7.2 below, and/or performance of the Service. Notwithstanding the foregoing, Business Associate’s obligations under the Services Agreement and this BAA shall extend throughout the duration of the Records Administration Service as defined in Section 11.2(e) of the Services Agreement.
- Termination Upon Bankruptcy. In the event of the filing of a petition in voluntary bankruptcy or an assignment for the benefit of creditors by a Party, or upon other action taken or suffered, voluntarily or involuntarily, under any federal or state law for the benefit of debtors by the Party, except for the filing of a petition in involuntary bankruptcy against the Party which is dismissed within thirty (30) days thereafter, the other Party may give notice of the immediate termination of this BAA.
- Termination Without Cause. Either Party may terminate this BAA at any time without cause by providing the other Party with thirty (30) days prior written notice; termination of this BAA will result in automatic termination of the SSA, and the Service provided thereunder, but will not free Covered Entity from the full financial obligations of the Services Agreement and accompanying Order Form for its contracted term.
- Breach. If either party hereto breaches its obligations under this BAA, the non-breaching party will provide the other with notice and a thirty (30) day period to cure the breach. If the breaching party fails to cure the breach or cure is not possible within thirty (30) days, the non-breaching party may terminate this BAA immediately upon written notice and without further legal action or declaration.
- Effect of Termination. Upon termination of this BAA, which, as provided in Section 7.1 above, shall not precede termination of the Records Administration Services as provided in Section 11.2(e) of the Services Agreement, at the request of Covered Entity, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, provided, however, that in the event that Business Associate determines that returning or destroying the PHI is infeasible, and/or Privacy Laws require or recommend that Business Associate maintain records containing PHI, Business Associate will not return or destroy the PHI, but will extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible or contrary to the Privacy Laws, for so long as Business Associate maintains such PHI. Return or destruction of PHI generally will not be feasible, as applicable rules of professional conduct and/or professional responsibility and/or other state and federal laws require or recommend that Business Associate maintain records of the services provided and otherwise relating to legal representation of its clients.
- Severability. If any provision of this BAA or part thereof is found to be invalid, the remaining provisions will remain in full force and effect.
- Inconsistency. In the event of any inconsistency between any terms(s) in the Services Agreement and this BAA, the term(s) of this BAA shall control.
- Waiver. Any failure of a Party to insist upon strict compliance with any term, undertaking, or condition of this BAA will not be deemed to be a waiver of such term, undertaking, or condition. To be effective, a waiver must be in writing, signed and dated by the Parties to this BAA.
- No Third-Party Beneficiaries. There are no third-party beneficiaries to this BAA. Business Associate’s obligations are to Covered Entity only.
- Successors and Assigns. This BAA will inure to the benefit of, and be binding upon, the successors and assigns of the Parties. However, this BAA is not assignable by any party without the prior written consent of the other Parties.
- Dispute Resolution. If at any time during or after the term of this BAA either party hereto believes that a dispute exists between them, then the Parties agree that they shall promptly meet and confer in good faith to attempt to resolve such dispute before resorting to arbitration or court action. The Parties further agree that if they are unable to informally resolve any dispute between them or arising out of or relating to this BAA within thirty (30) days, then the dispute shall be submitted for resolution exclusively through confidential, binding arbitration, instead of through trial by court or jury, in accordance with the commercial, expedited dispute rules, then in effect, of either the Judicial Arbitration and Mediation Service (“JAMS”) or the American Health Lawyers Association Alternative Dispute Resolution Service (“AHLA”) as determined by Business Associate in its sole discretion. This BAA to arbitrate shall be specifically enforceable. Notwithstanding the foregoing each party shall bear its own attorney’s fees and costs.
- Counterparts. This BAA may be executed in counterparts, by manual, electronic, or facsimile signature, each of which will be deemed an original and all of which together will constitute one and the same instrument.