Risk Assessment Service Agreement
This Risk Assessment Services Agreement (this “RASA”) is between ClearDATA Networks, Inc. a Delaware corporation with offices at 835 West 6th Street, 12th Floor, Austin, Texas 78703 (“ClearDATA”) and the ClearDATA Client (the “Client”) that signs a Statement of Work that incorporates this RASA by reference, and is dated effective as of the date of last signature on the SOW (the “Effective Date”).
A. Client is a covered entity or a business associate under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and their respective implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), and the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, as they may be amended from time to time, at 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”) (collectively, the “HIPAA Rules”).
B. Client may from time to time wish to engage ClearDATA to provide risk, privacy or security assessment services related to Client’s compliance with 45 C.F.R. Section 164.308 (a) (ii)(A) (the “Services”)
C. This RASA governs the legal terms and conditions that will apply to any engagements for ClearDATA’s Services.
Capitalized terms used in the Agreement that are defined in the HIPAA Rules have the meaning assigned to them in the HIPAA Rules unless otherwise expressly stated. Other capitalized terms have the meaning assigned to them in the Section where they are first used.
2. Statements of Work
Client may request ClearDATA’ Services by signing and submitting to ClearDATA a written order (which may be titled Statement of Work, Service Order, Proposal, Quotation, or the like) that has been prepared by ClearDATA for Client’s signature and that describes the specific Services to be provided and related fees and expenses. A binding agreement for ClearDATA’s Services (a “Statement of Work” or “SOW”) is formed when (i) ClearDATA schedules the Services at Client’s request, or (ii) when ClearDATA countersigns and returns the fully-signed written order to Client. Nothing in this Agreement obligates either party to enter into any Statement(s) of Work. Any Statement of Work that is entered into is subject to this RASA. The term “Agreement” as used below means this RASA and each Statement of Work, collectively. The parties may change the Services, fees, schedule and other terms of a Statement of Work only by a signed amendment that specifically references the Statement of Work to be modified and states the change in Services and related fees; provided, however, that where a Client-requested change does not materially change the terms of the Statement of Work, ClearDATA may waive the requirement for a formal signed amendment so long as the change is documented in a written exchange of correspondence between the parties that clearly evidences each party’s agreement to the change.
3. Services and Services Warranty
ClearDATA shall provide the Services described in each Statement of Work at the times and places stated in the Statement of Work, or if no times or places are stated in the Statement of Work, at the times and places mutually agreed by the parties. ClearDATA warrants that the Services will be provided in a good and professional manner. If ClearDATA breaches this warranty and Client gives a notice of the breach within the applicable warranty period, as defined below, ClearDATA shall re-perform the Services such that they conform to the warranty, or if ClearDATA does not reperform the Services such that they conform to the warranty within thirty (30) days of Client’s notice of the warranty breach, then, as Client’s sole and exclusive remedy for ClearDATA’s failure to provide the Services in accordance with this Section, ClearDATA shall refund of any fees paid for the non-conforming Services. The “warranty period” is the term of the Statement of Work, plus 30 days following Client’s acceptance of the Services provided pursuant to the Statement of Work.
Client acknowledges that unless otherwise stated in the SOW, the Services are limited to risk, privacy or security assessments and do not include any remediation.
ClearDATA will comply with Client’s security and privacy policies communicated to ClearDATA.
4. Client Obligations
4.1 Client Point of Contact. Client shall appoint a single point of contact who has decision making authority with respect to the Services (the “Client PoC”). The Client PoC must understand Client’s processes and procedures as they relate to the management of protected health information, and have a reasonable technical understanding of Client’s data management systems. The Client POC must be reasonably available during business hours to confer with ClearDATA.
4.2 Client Cooperation. Client shall promptly provide information and materials, and give ClearDATA access to its facilities and systems, as ClearDATA reasonably requests for the purpose of completing the Services. ClearDATA is excused for late performance of the Services to the extent the delay results from Client’s failure or delay in providing information, materials, or access. Client acknowledges that its material or chronic delay is a material breach of the Agreement, giving rise to a right of termination. In addition to any other remedies available to ClearDATA in respect of such breach, ClearDATA may reschedule the Services and charge Client rescheduling fees as described in Section 8 (Scheduling Changes). Client acknowledges that the quality of the Services deliverables depends on Client providing accurate and complete information related to its management of ePHI or other sensitive information as defined in the SOW. Client acknowledges that ClearDATA’s fees for the Services may exceed the estimate stated in the applicable SOW if ClearDATA is required to re-perform any part of the Services as a result of Client’s provision of inaccurate or incomplete information.
4.3 Risk Report. If the deliverables include ClearDATA’s report of its findings, assessments, evaluations, recommendations, conclusions, results or like content regarding Client’s security or privacy safeguards or controls, risk controls, or other business processes (a “Risk Report”), Client may not share the Risk Report with a third party except in the complete and unmodified form provided by ClearDATA. Client shall ensure that each copy of the Risk Report that is disclosed to a third party includes the Notice to Third Parties in the form attached to this Agreement as Exhibit A. Client shall also require each third party to whom it provides the Risk Report sign written confidentiality obligations covering the Risk Report that prohibit further disclosure or use for purposes other than those described in the Notice to Third Parties. Client may not combine the Risk Report with other materials except as expressly permitted in advance by ClearDATA.
The Client PoC will perform any interim review reasonably requested by ClearDATA in connection with interim reports or other Services deliverables, and provide detailed feedback to enable ClearDATA to complete the Services and deliverables in accordance with the SOW. The Client will give ClearDATA notice of its acceptance or rejection of the final Services and related reports and deliverables promptly on completion of the Services and delivery of the deliverables. If the Client has not provided a written notice of rejection on or before the 10th business day from delivery or completion, the Services and related deliverables will be deemed accepted as of the 10th business day. Client may reject the Service or deliverables only if they fail to conform to the requirements stated in the SOW. Client shall identify the specific way(s) in which the Services or deliverables fail to conform to the SOW in its rejection notice. ClearDATA will have 10 business days from the notice of rejection to cure any items of non-conformance and resubmit the Service for acceptance. The Client will then have a second 10 business day period to test and evaluate the Services and deliverables. If the Client rejects the Service or deliverables a second time, the Statement of Work is terminated, and the parties agree to negotiate in good faith to resolve any outstanding fees for Services provided.
6. Third Party Services
ClearDATA may deliver or administer third party services in connection with the Services, such as penetration tests, vulnerability scans, or other related services. ClearDATA warrants that it shall administer or deliver the third-party services in accordance with the standards and requirements of the third party, but otherwise make no representation or warranty whatsoever about the third-party services. Third party services delivered or administered by ClearDATA are provided AS IS and fees for third party services are non-refundable.
7. Fees and Expenses
7.1 Fees and Expenses. Client shall pay the fees stated in the Statement of Work. ClearDATA may invoice recurring monthly fees monthly or annually in advance, as agreed, and may invoice other fees at the times stated in the Statement of Work. Client shall pay ClearDATA’s reasonable travel expenses for travel outside of the metropolitan Austin, Texas, or Phoenix, Arizona areas, including air and ground transportation, lodging, meals and other incidental expenses, such as hotel Wi-Fi connectivity charges. ClearDATA may require payment of its travel expenses in advance, or may invoice Client for the expenses.
7.2 Early Termination Fee. If Client terminates a Statement of Work for convenience, or ClearDATA terminates a Statement of Work for Client’s breach, Client shall pay an early termination fee equal to the monthly recurring fees for the then remaining annual period of the Statement of Work. The “annual period” of a Statement of Work begins on the effective date or the anniversary of the effective date of the Statement of Work, as applicable, and ends on the next anniversary. ClearDATA may invoice the early termination fee on or after its receipt of Client’s notice of termination for convenience or ClearDATA’s notice of termination for breach, as applicable.
7.3 Payments. Invoices are due on receipt and are overdue five (5) business days from receipt. Client shall pay fees by payment card unless it has made other arrangements with ClearDATA. ClearDATA may, at its option, charge interest on overdue amounts at the lesser of 1.5% per month, or the highest non-usurious amount under applicable law. If Client fails to pay any properly invoiced amount when due and does not cure the late payment within ten (10) days of ClearDATA’s written notice, ClearDATA may suspend the Services until the late payment and related interest are paid in full. If ClearDATA takes legal action to collect an overdue amount, it may require Client to also pay ClearDATA’s reasonable costs of collection, including collection agency fees, court costs and reasonable attorney fees. Fees stated in the Statement of Work are exclusive of sales, use, VAT and similar taxes (“Sales Tax”). Client will remit any Sales Tax that ClearDATA invoices in connection with the Services unless Client has provided reasonable documentation of a Sales Tax exemption. If Client disputes any invoiced amount, Client must give written notice describing the dispute within thirty (30) days of invoice date or the right to dispute the invoiced amount is waived.
8. Scheduling Changes
Client acknowledges that ClearDATA will schedule internal and third-party resources based on Client’s commitment to Services start and completion dates stated in a Statement of Work. On Client’s request, ClearDATA will use reasonable efforts to reschedule an agreed date for the performance of the Services, provided that Client agrees to pay any additional expense incurred by ClearDATA as a result of the rescheduling. If Client cancels or reschedules the performance of the Services less than two weeks prior to the scheduled start date, ClearDATA may charge the entire agreed fee for the Services plus its out-of-pocket expenses incurred in connection with the scheduled Services. If Client cancels or reschedules the Services two weeks or longer prior to the scheduled date ClearDATA may charge ClearDATA’s out-of-pocket expenses incurred in connection with the scheduled Services. In no event shall ClearDATA be required to refund to Client any prepaid fees or deposits for any cancelled or rescheduled Services, or any fees for third party materials.
9. ClearDATA Materials
Client may not record or transcribe any presentations given as part of the Services, in text, audio, visual or other form or media, without ClearDATA’s prior written consent. If ClearDATA consents to the recording or transcription of its Services, then Client may use the recording or transcription only for its internal business purposes unless otherwise expressly stated otherwise in ClearDATA’s written consent. Unless otherwise agreed in writing, ClearDATA shall own all rights in any recording or transcription of the Services that is made by Client, including any copyright, and Client shall be licensed to use the recording or transcription for its internal businesses purposes only, with no right of distribution.
11. Confidential Information
Information disclosed by one party (the “Discloser”) to the other party (the “Recipient”) regarding the Discloser’s data, operations, products or services, technologies, assets, liabilities, financial results, financing plans, business methods, strategies, pricing, product development plans, marketing strategies, suppliers, employees and other personnel, and all other information disclosed by Discloser that Recipient should reasonably understand to be confidential, due to the nature of the information or the circumstances of its disclosure, is the “Confidential Information” of the Discloser, regardless of the form or manner in which it is disclosed, and regardless of whether the information is marked or designated as confidential. The terms of the Agreement are the Confidential Information of each party. However, information that would otherwise be “Confidential Information” under this Agreement is not “Confidential Information” if the information: (i) becomes publicly known through no fault of Recipient, (ii) was rightfully known by Recipient, or in Recipient’s possession, before Discloser’s disclosure; (iii) is disclosed to Recipient by a third party who, to Recipient’s knowledge, acquired the information without violation of law, contract, or other confidentiality obligation to the Discloser; or (iv) is independently developed by Recipient without any use of, access to, or reference to the Confidential Information of Discloser as evidenced by Recipient’s written business records. The Recipient may disclose the Discloser’s Confidential Information except to Recipient’s employees, and to third parties who need to know the information to represent or advise the Recipient with respect to the subject matter of this Agreement, provided that all such persons must be bound by written confidentiality obligations covering the Confidential Information that are at least as stringent as those stated in this Agreement. Each party agrees not to use the other party’s Confidential Information except in connection with the performance of its obligations or exercise of its rights under the Agreement. However, Recipient shall not be in violation of this Section if it discloses or uses Discloser’s Confidential Information to comply with a legal requirement, such as a subpoena or preservation order, or to bring or defend a claim against Discloser in a adjudicatory proceeding, provided that Recipient has limited its disclosure to only that Confidential Information reasonably necessary in light of circumstances, and has given Discloser reasonable advance notice of the disclosure or use (unless such notice is prohibited by law). Each Party agrees to use reasonable care to protect the other party’s Confidential Information from unauthorized use and disclosure. Each party agrees not to reverse engineer, decompile, or disassemble the other party’s Confidential Information, except as permitted by applicable law and then on advance written notice of at least thirty (30) days to the other party. Each party shall return or destroy the other party’s Confidential Information on request of the other party, provided that a party may retain the other party’s Confidential Information to the extent reasonably necessary to use the Services, or to maintain reasonable and customary business records. On request of a party, the other party shall certify its compliance with the preceding sentence. Each party shall be responsible for a breach of this Section by its agents, representatives, and third parties to whom it discloses Discloser’s Confidential Information. Nothing in this Section shall limit either party’s present or future business activities, including business activities that may be competitive with those of the other party. This Agreement shall in no way limit either party from assigning employees. The unintentional use of Confidential Information retained in a party’s representatives’ unaided memories does not create liability under this Agreement or trade secret law and each party agrees to limit its disclosure to the other party accordingly.
Notwithstanding anything in this Section to the contrary, if ClearDATA and Client have signed a Business Associate Agreement, then the Business Associate Agreement shall govern ClearDATA’s use and disclosure of Client’s ePHI. If there is any inconsistency between the confidentiality terms stated above and a Business Associate Agreement, the Business Associate Agreement controls.
12. Term and Termination
12.1 Term. The initial term of each Statement of Work is the period stated in the Statement of Work, or if no period is stated, that period of time reasonably necessary to provide the Services described in the Statement of Work. Upon expiration of the initial term of a Statement of Work that describes monthly recurring services, the Statement of Work automatically renews for consecutive renewal terms of one month each unless and until one party gives the other notice of non-renewal at least thirty (30) days prior to the expiration of the initial term or then current renewal term, as applicable. This RASA continues until the expiration or termination of all Statements of Work entered into between the parties.
12.2 Termination for Convenience. Either party may terminate this RASA on written notice, provided that termination of this RASA does not have the effect of terminating any Statement of Work unless otherwise expressly stated in the notice of termination. This RASA survives termination as to any Statement of Work that remains active as of the time of termination until non-renewal or termination of the Statement of Work. Client may terminate a Statement of Work at any time for convenience, subject to Client’s obligation to pay an early termination fee as described in Section # below.
12.3 Termination for Breach. A party may terminate a Statement of Work or may terminate this RASA and all Statements of Work for breach if the other party fails to perform a material obligation stated in a Statement of Work or this RASA and does not cure the failure within a reasonable period of time following the other party’s written notice of the breach. No termination of the Agreement relieves either party of any obligations incurred under the Agreement prior to the date of expiration or termination, including, without limitation, Client’s obligation to pay fees.
13. Warranty Disclaimer, Limitation of Liability
Except for the warranties expressly stated in the Agreement, the Services are provided AS IS. ClearDATA disclaims any implied warranties, including any implied warranties of merchantability, and suitability for a particular purpose, and any warranties or representations that arise through a course of dealing. Specifically, but without limitation, ClearDATA does not warrant that the Services or deliverables will be error free or completely accurate. Client acknowledges that the Services do not involve the provision of legal advice or any definitive interpretation of laws or regulations, and ClearDATA does not warrant or represent that the Services or Client’s implementation of any recommendations provided by ClearDATA will result in Client’s full compliance with HIPAA or other legal or regulatory requirements or standards. Client is solely responsible for determining whether it complies with HIPAA and other legal and regulatory requirements applicable to its operations generally.
Except for claims arising from a party’s breach of its confidentiality obligations or intentional breach of the other party’s intellectual property rights, neither party nor its affiliates shall be liable to the other for any lost profits or lost revenue, or any indirect, special, incidental, punitive, or consequential loss or damage of any kind arising in connection with the services provided subject to the Agreement, even if the party has been advised of or should be aware of the possibility of such damages.
Notwithstanding anything to the contrary in the Agreement, excluding: (i) claims arising from a party’s gross negligence, recklessness, or intentional tort, (ii) claims arising from a party’s intentional breach of its confidentiality obligations, and (iii) a party’s obligations stated in Section 15 (Indemnification), the maximum aggregate liability of a party and its affiliates under or in connection with the Agreement shall not exceed the fees paid and payable for the Statement of Work covering the Services from which the claim arose. The limitations stated in this Section apply to any liability arising from any cause of action whatsoever, whether in contract, tort, strict liability or otherwise, even if the limited remedies stated fail of their essential purpose. Nothing in this Subsection precludes a party from seeking specific enforcement, injunctive relief or other equitable remedy. If these limitations as written are not permitted by applicable law, they shall apply to the extent permitted by applicable law.
14. Intellectual Property
Except as specifically provided in the Agreement, each party retains all right, title and interest in and to its intellectual property. Specifically, but without limitation, Client retains all right, title and interest in and to its data and other proprietary information. ClearDATA may use Client’s data and proprietary information solely for the purpose of performing the Services. Client hereby licenses to ClearDATA any feedback or suggestions that it or its personnel may give ClearDATA regarding the Services on a perpetual, irrevocable, royalty free, worldwide, unconditional, fully sub-licensable and transferable basis, including the right to make, have made, use, sell, offer to sell, import, copy, display, perform, modify, distribute in modified or unmodified form, and commercialize any intellectual property.
Each party shall indemnify, defend and hold harmless the other party, and each of the other party’s members, managers, officers, employees, agents and other personnel, from and against third party claims asserting or arising out of that party’s gross negligence, recklessness or misconduct, including damages, liabilities, judgments, settlement, fines, penalties, costs and expenses (including reasonable attorney fees) that arise from the claim.
16. Governing Law, Disputes
The Agreement shall be governed by and interpreted under the laws of the State of Texas, without giving effect to any conflicts of law principles that would require the application of the law of a different jurisdiction. The parties expressly and irrevocably disclaim and waive the application of the United Nations Convention on Contracts for the International Sale of Good and the Uniform Computer Information Act. The parties agree that any lawsuit or other action related to the Agreement shall be brought in Travis County, Texas, and that neither of them shall dispute the personal jurisdiction of such court. Each party agrees that it will not file a lawsuit or other legal action in connection with the Agreement unless it has first given the other party written notice of the dispute and attempted to resolve the dispute through good faith negotiation. To the extent permitted by applicable law, each party waives the right to a trial by jury in respect of any litigation arising out of or related to this Agreement and the parties’ activities in connection with this Agreement. A party may not bring an action in relation to the Agreement more than two (2) years after the date that the cause of action accrued.
The parties address for notice purposes is the address appearing on the latest Statement of Work between them. Notices required or permitted by the Agreement the shall be given by electronic mail with a copy transmitted via first class United States mail on the date of the electronic mail notice. Notices are deemed given, received and effective as of the time transmitted by electronic mail, or if that time does not fall within a business day, as of the beginning of the first business day following the time transmitted. Notices must be given in the English language. A party may change its address for notice by giving notice in the manner stated in this Section.
18. Relationship Between the Parties
The parties are independent contractors and neither party shall be the agent of the other or have the authority to bind the other party on any contract. The parties do not agree to any exclusivity in regards to the subject matter of the Agreement and each party is free to contract with third parties, including competitors of the other party, for transactions of the type covered by the Agreement in any market, worldwide
Neither party may issue any press release or other publicity regarding the Agreement or the relationship or transactions contemplated by the Agreement without the prior written consent of the other party. Neither party may use the other party’s name, logo or other trade or service marks without the other party’s prior consent, and then only to the limited extent expressly authorized, and subject to the other party’s reasonable trademark usage guidelines that are communicated to the party from time to time.
In the event one or more of the terms of the Agreement are adjudicated invalid, illegal, or unenforceable, the adjudicating body may either interpret the Agreement as if such terms had not been included, or may reform such terms to the limited extent necessary to make them valid, legal or enforceable, consistent with the economic and legal incentives underlying the Agreement. The Agreement may be modified only by a written document that expressly refers to the Agreement by name and date and is signed by the parties. No right or remedy arising in connection with the Agreement shall be waived by a course of dealing between the parties, or a party’s delay in exercising the right or remedy. A party may waive a right or remedy only by signing a written document that expressly identifies the right or remedy waived. Unless expressly stated in the waiver, a waiver of any right or remedy on one occasion will not be deemed a waiver of that right or remedy on any other occasion, or a waiver of any other right or remedy. The pre-printed terms on the party’s purchase orders or other business forms shall have to affect whatsoever. Unless and to the extent specifically stated otherwise in another part of the Agreement, an electronic “agree” or “accept” entered by a party’s personnel as part of the installation or activation process for any software or services provided under the Agreement shall be of no force or effect whatsoever. The word “including” shall be read to mean “including, without limitation.” The term “business day” shall mean 9:00 a.m. – 5:00 p.m., United States Central Time, Monday – Friday, excluding federal public holidays in the United States. Any requirement in the Agreement that a statement be written, in writing, or a like requirement, is satisfied by an email or other digital form of writing unless otherwise expressly stated otherwise. Nouns stated in the singular shall imply the plural as indicated by the context, and pronouns that are gender specific shall be read to refer to either gender. The Section captions in the Agreement are for convenience only; they are not part of the Agreement and may not be used to interpret the Agreement. Unless and to the extent specifically stated otherwise in some other section of the Agreement, there are no third-party beneficiaries to the Agreement. Neither party’s customers, end users, suppliers, or other person shall have the right to enforce the Agreement. The terms of this Agreement that by their nature are intended to survive termination shall survive termination, such as Confidential Information, Term and Termination, Indemnification, Limitation of Liability, Intellectual Property, Governing Law, Venue, Disputes, and Notices. The Agreement may be signed in multiple counterparts, which taken together shall be read as one agreement. A signed agreement transmitted by facsimile, email attachment, or other electronic means shall be considered an original. The parties agree that electronic or digital signatures shall be given the same effect as a manual signature. The individuals signing below represent and warrant that they have authority to act on behalf of the party for whom they are signing, and that all necessary corporate approvals have been obtained for the transactions reflected in the Agreement.
This RASA is the complete and exclusive agreement between the parties regarding its subject matter and supersedes and replaces in its entirety any prior or contemporaneous agreement or understanding regarding the subject matter, written or oral.
Attach: Exhibit A Notice to Third Parties
Notice to Third Parties from ClearDATA Networks, Inc.
This report includes confidential information of ClearDATA Networks, Inc. ClearDATA permits Client to disclose this report to you on the following conditions:
You not further disclose this report to any other person;
You understand that ClearDATA undertakes no responsibility to you as to the subject matter of this report; and
ClearDATA disclaims any warranty or representation that Client’s security safeguards meet your business or security requirements.
This report was prepared under a contractually agreed specification between ClearDATA and Client, based on information provided to ClearDATA by Client. It is provided to you for informational purposes only. You should rely only on your own verification of the risks, controls and safeguards covered by this report.
In the news
10 Tips to Shrink Attack Surface by Prioritizing Digital Hygiene
ClearDATA’s founder and Chief Privacy & Security Officer Chris Bowen gives his take on digital threats associated with the pandemic and the risks and mitigation efforts.
5 ways IT vendors put customers’ PHI at risk
Warning to technology vendors that service the healthcare industry: nearly half of serious data breaches occur in the healthcare sector and the majority are caused by a third party. There are five common ways technology vendors set themselves up – and their healthcare customers – for a data breach that could be catastrophic to patients’ privacy and the vendor’s reputation.