DRFIRST MASTER SUBSCRIPTION AGREEMENT IPRESCRIBE

This Master Subscription Agreement (“MSA”) is entered into by and between DrFirst.com, Inc. (“DrFirst”) and the entity identified on the applicable electronic invoice as the purchaser of the iPrescribe subscription, including its affiliates and subsidiaries (referred to collectively, as “Company”). It is considered effective upon completion of payment for the subscription.

DrFirst.com, Inc. offers access to a subscription-based online electronic prescription system that allows for electronic prescribing and other online tools and related services (also “iPrescribe”), to assist individual physicians, their clinical staff, and their office staff (collectively, “End Users”) to perform a variety of health care activities associates with electronic prescribing and electronic medication management. The iPrescribe subscription has been made available to Company, and Company’s access and use of the iPrescribe Subscription is subject to the following terms and conditions. Therefore, DrFirst and Company agree as follows:

I. DrFirst Services.  DrFirst provides software applications, platforms, and services for electronic prescribing, medication management, and related products (“the Applications”) for use by Authorized End Users.  As used herein, the term “Authorized End User” means an individual who (i) has registered with DrFirst as a user of an Application; (ii) is authorized by virtue of such individual’s relationship to, or permissions from, Company to access DrFirst Applications pursuant to the PA; and (iii) has executed the terms of use agreement applicable to the Application.  Access to Applications provided by DrFirst shall be subject to the terms of this MSA. 

II. Company Obligations for all Applications.  Company shall obtain consents or authorizations from patients to allow Company to use and disclose patient information and records through the Applications.   Company shall ensure that Company’s use of the Application, and access by Authorized End Users, complies with applicable laws and regulations.  To the extent applicable, Company shall ensure that it’s Authorized End Users use the most up to date version of the Applications and will be responsible for any failure to do so.  Company’s Authorized End Users shall be obligated to adhere to any Terms of Use as a material condition of using any DrFirst Applications. Detailed Company obligations are established in the applicable PA. Company must execute and abide by the Business Associate Agreement attached hereto as Exhibit A.

III. Ownership of Software, Products and Intellectual Property. Subject only to the limited rights expressly granted to Company in a PA, DrFirst has sole and exclusive rights to the DrFirst Brand, the Application, the software associated with the Application, including interface software, and all related materials, including all copies thereof in any form or medium, whether now known or existing or hereafter developed, and including all copyrights, patents, trade secrets, trademarks, trade names and intellectual property rights associated therewith.  All goodwill arising in or from the DrFirst Brand shall inure solely to DrFirst’s benefit.   Company shall not:  (i) attempt to de-compile, reverse assemble, reverse engineer, or attempt to gain access to the source code of  any software furnished by DrFirst; (ii) import, add, modify or create derivative works of any such software or user materials;  (iii) delete data in any such software database by any method other than direct data entry through the Application, or through a DrFirst developed interface; or (iv) remove any proprietary notices, labels, or marks from any software or user materials provided by DrFirst.  The software, user materials, and other rights granted herein may not be transferred, leased, assigned, or sublicensed without DrFirst’s prior written consent, except to a successor in interest of Company’s entire business who assumes the obligations of the MSA.  In the event of any unauthorized transfer, Company’s rights under the MSA shall automatically terminate.

IV. Confidentiality. During the performance of this MSA, each party may have access to certain confidential information of the other party or third parties (“Confidential Information”).  Both parties agree that all Confidential Information is proprietary to, and shall remain the sole property of, the disclosing party or such third party, as applicable. Each party receiving Confidential Information shall (i) use the Confidential Information only for the purposes described herein; (ii)  not reproduce the Confidential Information except as minimally necessary to use under this MSA; (iii) hold in confidence and protect the Confidential Information from dissemination to, and use by, any third party; (iv) not create any derivative work from Confidential Information ; (v) restrict access to the Confidential Information to such of its personnel, agents, and/or consultants, if any, who have a need to have access for purposes of performing said party’s obligations hereunder and who are under an obligation of confidentiality with respect to the Confidential Information; and (vi)  return or destroy all Confidential Information  in its possession upon termination or expiration of the MSA. Confidential Information does not include information  that is: (i) publicly available or in the public domain, through no fault of the recipient; (ii) already in the recipient’s possession free of any confidentiality obligations with respect thereto at the time of disclosure; (iii) independently developed by the recipient without access or reference to the Confidential Information disclosed by the other party; (iv) approved for release or disclosure by the disclosing party without restriction. 

V. Compliance With Privacy Laws.  The parties agree to comply with all applicable state and federal laws and regulations governing the protection of protected health information, including, but not limited to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, all implementing laws and regulations related thereto, and the Business Associate Agreement attached hereto as Exhibit A and incorporated by reference.

VI. Data Handling.  DrFirst may de-identify protected health information and other data provided to it by Company.  Company shall allow DrFirst and Surescripts, without notice, the ability to access, inspect, and review all records related to information and Medication History Information provided by or through the Surescripts network through the Application.

VII. Use of Medication History Information. Company agrees that it will only use medication history information provided by an Application (“Medication History Information”) for the purpose of providing direct health care services to a Company patient.  Certain services are provided over a network operated by Surescripts, LLC (“Surescripts”).  Company acknowledges that the Medication History Information provided hereunder may not be complete or accurate, and neither DrFirst, Surescripts, nor any pharmacy or other entity providing information under the Medication History Service provides any representations or warranties with respect to the accuracy or completeness of the Medication History Information. Company releases and holds harmless DrFirst, Surescripts, and any person or entity providing Medication History Information from any liability, cause of action, or claim related to the completeness or lack thereof of the Medication History Information.  Company is not required to release and hold harmless any party whose conduct is found to be willfully malicious or reckless or grossly negligent. Company agrees to confirm the accuracy of the Medication History Information with the patient prior to providing any medical services based thereon and Company agrees that its Authorized End Users shall use their professional judgment in the provision of care.  Company acknowledges that the Medication History Service shall be used only for those patients from whom Company has obtained prior consent of the patient to access such patient’s medication history.  Other than in the course of treatment for the Company’s patient, Company shall not provide the Medication History Information to any other person or entity for any reason whatsoever, or use the Medication History Information for any other purpose. Company shall implement appropriate administrative, technical, and physical safeguards to prevent any use or disclosure of any data provided hereunder for any purpose not authorized by this MSA. Company shall not use any Medication History Information for any reason, whether in aggregated form or otherwise, except for the sole purpose of treating a Company patient.

VIII. Influencing of Providers. Company shall not use any means, program, or device to influence or attempt to influence the decision of an Authorized End User to write a prescription for a certain medication or to send the prescription to a certain pharmacy. Information related to formulary and benefit plan design and information from payers or other reputable sources providing clinical information shall be exempt from this prohibition, so long as the Authorized End User can still access all pharmaceuticals and the Authorized End User or patient is not prohibited from selecting a pharmacy. `

IX. Availability of Data Sources.  Company acknowledges and agrees that any pharmacy, pharmacy benefit manager, payer or plan may elect not to receive prior authorizations from Company or Company’s Authorized End Users.  Company acknowledges and agrees that any pharmacy benefit manager, pharmacy, payer, or other source of data may be added or deleted at any time without prior notice to Company.

X. Audit Rights. Company shall allow DrFirst, without notice, the ability to access, inspect, and review all records related to the services provided by DrFirst through its application. 

XI. WARRANTIES AND DISCLAIMERS.  EXCEPT AS EXPRESSLY SET FORTH HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, DRFIRST DISCLAIMS ANY AND ALL OTHER PROMISES, REPRESENTATIONS AND WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND/OR NON-INFRINGEMENT. DRFIRST DOES NOT WARRANT THAT THE APPLICATION WILL MEET COMPANY’S REQUIREMENTS OR THAT THE OPERATION OF THE APPLICATION WILL BE UNINTERRUPTED OR ERROR-FREE.

XII. LIMITATION OF LIABILITY.  IN NO EVENT SHALL DRFIRST OR ANY OF ITS LICENSORS, AGENTS OR REPRESENTATIVES BE LIABLE TO COMPANY OR ANY THIRD PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, LOST PROFITS, OR BUSINESS INTERRUPTION, EVEN IF DRFIRST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  IN NO EVENT SHALL DRFIRST BE LIABLE TO COMPANY ON ACCOUNT OF ANY LOSS OR CLAIM CAUSED BY THE FAILURE OF COMPANY OR ANY OF ITS EMPLOYEES, AGENTS, PROVIDERS OR REPRESENTATIVES TO PERFORM ANY OBLIGATIONS UNDER THIS AGREEMENT.  THE CUMULATIVE LIABILITY OF DRFIRST TO COMPANY FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY, WILL NOT EXCEED THE TOTAL AMOUNT OF LICENSE FEES PAID TO DRFIRST BY COMPANY, WITH RESPECT TO THE APPLICATION UPON WHICH THE CLAIM IS BASED, DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE ACT, OMISSION OR EVENT GIVING RISE TO SUCH LIABILITY

I. Indemnification. DrFirst agrees to hold, harmless, indemnify, and, at Company’s option, defend Company from and against any losses, liabilities, costs (including reasonable attorneys’ fees) or damages resulting from: (i) misuse of data by DrFirst in violation of Section V;  (ii) any breach by DrFirst of Confidentiality obligations in Section IV; and (iii) an Infringement Claim which, for this purpose, means a claim by any third party that  an Application,  infringes that third party’s U.S. patents issued as of the effective date of the applicable PA, or infringes or misappropriates such third party’s copyrights or trade secret rights under applicable laws of any jurisdiction within the United States of America.  Company agrees to hold harmless, indemnify, and, at DrFirst’s option, defend DrFirst from and against any losses, liabilities, costs (including reasonable attorneys’ fees) or damages resulting from: (i) use by an Authorized End User or third party end user that has not executed the terms of use; (ii) misuse of data in violation of Section VII; (iii) any breach of Confidentiality obligations in Section IV; and (iv) any material breach of the MSA that gives rise to liability of DrFirst to a third party. A party claiming indemnification must promptly notify the indemnifying party, in writing, of a potential claim and must cooperate with the indemnifying party. The indemnifying party will not settle any third-party claim against the indemnified party unless such settlement completely and forever releases the indemnified party from all liability with respect to such claim or unless the indemnified party consents to such settlement.  Except with respect to Infringement Claims, the indemnified party will have the right, at its option, to defend itself against any such claim, through counsel reasonably acceptable to the indemnifying party, or to participate with the indemnifying party in the defense thereof through counsel of its own choice.  With respect to Infringement Claims, DrFirst shall have the sole authority to control the defense and settlement of such claim and may, in its sole discretion, (i) acquire for Company the right to continue use of the Application; (ii) modify or replace any infringing Application to make it non-infringing; or (iii) direct Company to cease use of, and, if applicable, return, such materials as are the subject of the Infringement Claim.  DrFirst shall reimburse Company for all product and service fees necessitated by any such Infringement Claim.  DrFirst shall not be obligated to indemnify Company for an Infringement Claim if the alleged infringement arises, in whole or in part, from: (i) modification of the Application by Company; (ii) combination, operation or use of the Application with other software, hardware or technology not provided by DrFirst, if such infringement would have been avoided by use of the Application alone; or (iii) use of a superseded or altered release of the Application, if such infringement would have been avoided by the use of a then-current release of the Application and if such then-current release has been made available to Company. Additionally, the indemnification provision set forth herein Section XIII is separate and apart from, and does not supersede, govern or control, any indemnification provision included in a supplemental Business Associate Agreement between the parties incorporated herein.

II. Term and Termination.  This MSA will be enforceable from the Effective Date for the duration of the term set forth on the electronic invoice “the Subscription Term”; provided, however that either Party may terminate the MSA if the other party has breached the MSA and failed to cure such breach within thirty (30) days of written notice setting forth, in reasonable detail, the nature of the breach and the action necessary to cure. At the conclusion of the initial Term of this MSA and any renewal term, this MSA shall automatically renew for an additional one-year Term unless either Party provides notice of termination no less than 60 days prior to the conclusion of the then-current Term. This MSA also may be terminated by either party immediately upon written notice in the event that the other party makes a general assignment for the benefit of creditors or files a voluntary petition in bankruptcy or for reorganization or rearrangement under the bankruptcy laws, or if a petition for involuntary bankruptcy is filed against the other party and is not dismissed within thirty (30) calendar days after the filing, or if a receiver or trustee is appointed for all or any part of the property or assets of such other party. Company may cancel its subscription at any time. However, there are no refunds for cancellation, and Company understands and agrees that it shall receive no refund should it choose to cancel its subscription prior to the end of its Subscription Term.  In the event that Company chooses to cancel its subscription prior to the end of the Subscription Term, such member shall continue to have access to the Application through the end of the Subscription Term.

III. Notices.  All notices given pursuant to the MSA shall be in writing and delivered either personally, via a nationally recognized overnight carrier, or by certified mail, return receipt requested, postage prepaid to the addresses set forth on the signature page of this MSA or an PA.  Either party may change its address by specifying such change in a written notice given to the other in the aforesaid manner.  Notices to Company shall be made to the address Company provided in the course of completing its electronic invoice. Copy of any notice directed to DrFirst shall be sent to the attention of the DrFirst.com, Inc., Legal Department, 9420 Key West Avenue, Suite 101, Rockville, MD 20850, with a courtesy e-mail to: df_legal@drfirst.com

IV. Miscellaneous.  This MSA may not be modified except by a writing signed by authorized representatives of each party.  Company represents and warrants that they have the full power and authority to bind Company to this MSA.  No waiver of rights hereunder shall be binding unless contained in a writing signed by an authorized representative of the party waiving its rights. The non-enforcement of any provision in a particular instance shall not constitute a waiver of such provision on any other occasion. No rights or obligations of a party may be assigned in whole or in part by either party without the prior written consent of the other; provided, however, that a reorganization, merger, consolidation, acquisition, or restructuring involving all, or substantially all of the voting securities and/or assets of a party shall not be deemed a prohibited assignment.  Neither party shall be liable for failure to perform any of its obligations hereunder if such failure is caused by an event outside its reasonable control, including, but not limited to, an act of God, shortage of materials, personnel or supplies, war, or natural disaster. If any provision of this MSA is declared invalid by a court of competent jurisdiction, such provision shall be ineffective only to the extent so declared, so that all remaining provisions of this MSA shall be valid and enforceable to the fullest extent permitted by applicable law.  This MSA shall be governed by and interpreted in accordance with the laws of the state of Maryland, without regard to conflicts of law principles thereof. Any claims or disputes arising under this MSA or any Addendum shall be resolved in the state or federal courts in the State of Maryland and each of the parties hereby irrevocably submits to the exclusive jurisdiction of such courts.  Under no circumstances, shall the MSA or any part thereof be subject to the Uniform Computer Information Transaction Act.  The parties recognize and agree that their obligations under sections III, IV, VI, VII, XII, and XIII above shall survive the cancellation, termination or expiration of this MSA.

THE PARTIES UNDERSTAND AND ACKNOWLEDGE THAT COMPANY’S COMPLETION OF PAYMENT VIA ELECTRONIC INVOICE CONSTITTES ACCEPTANCE OF DRFIRST’S OFFER TO PROVIDE THE SUBSCRIPTION SERVICES. COMPANY UNDERSTANDS AND ACNOWLEDGES THAT BY COMPLETING THE ELECTRONIC INVOICE, IT AGREES TO ALL OF THE TERMS AND CONDITIONS SET FORTH IN THIS MASTER SUBSCRIPTION AGREEMENT AND THE BUSINESS ASSOCIATE AGREEMENT AND APPLICABLE PAs SET FORTH BELOW.

EXHIBIT A DRFIRST MASTER SUBCRIPTION AGREEMENT 

BUSINESS ASSOCIATE AGREEMENT 

This Business Associate Agreement (“Agreement”) is made and entered upon Company’s Completion of the electronic invoice binding it to DrFirst’s subscription Services (the “Effective Date”). This Agreement is by and between DrFirst.com, Inc. (the “Business Associate,” as further defined below), whose address is 9420 Key West Avenue, Suite 101, Rockville, MD 20850, Company (the entity named on the associated electronic invoice, also “Covered Entity,” as further defined below), whose address is the same address set forth on the electronic invoice.

WHEREAS, Company is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) and DrFirst.com, Inc. is a “Business Associate” as defined under HIPAA;

WHEREAS, Business Associate has contracted with Covered Entity to provide certain services to or on behalf of Covered Entity (“Service Agreement”), and Covered Entity may provide Business Associate with Protected Health Information or may require Business Associate to create, use, maintain, or transmit Protected Health Information on behalf of Covered Entity;

WHEREAS, the parties enter into this Agreement for the purpose of ensuring compliance with HIPAA and relevant implementing regulations, including the Privacy Rule, the Security Rule, and the Breach Notification Rule;  

NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

I. DEFINITIONS AND INTERPRETATION 

a. Definitions Generally.

         i. “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.

       ii. “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.

      iii. "Electronic Protected Health Information" or ("EPHI") shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.

      iv.  “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.

       v.  “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

      vi. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.

     vii. Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.

b. Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations or any binding interpretation thereof, said conflict will be resolved in favor of the regulations. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.

c. State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.

d. Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.

II. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE

a. Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI as permitted by the Security Rule, as permitted by this Agreement or the MSA, and as necessary to perform functions, activities or services for or on behalf of the Covered Entity including but not limited to: (i) Facilitating the processing of administrative, clinical and financial healthcare transactions; (ii) Treatment of patients of the Covered Entity; and (iii) Establishing and maintaining Business Management Programs.

b. Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.

c. De-Identification. The Business Associate may de-identify PHI received or created pursuant to the Service Agreement consistent with 45 C.F.R. § 164.514.

d. Other Permitted Uses.  The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.

e. Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if: (i) Required By Law; and/or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person and  Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.

f. Report Violations of Law.  The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

III. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

a. Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law.  The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement

b. Safeguards against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.

c. Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.

d. Agreements with Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.

e. Obligations on Behalf of the Covered Entity.  To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.

f. Access to PHI.  The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.

g. Amendment of PHI.  The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity for purposes of amendment per 45 C.F.R. § 164.526.  The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity.  If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request.  Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.

h. Accounting of Disclosures.  The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.  At a minimum, such information shall include:  (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.  The Business Associate shall provide to Covered Entity information necessary to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.  In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.

i.  Retention of Protected Health Information.  Notwithstanding Section VII of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section III(h) of this Agreement for a period of six (6) years after termination of the Service Agreement.

j. Minimum Necessary.  The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

k. Availability of Information. For the purpose of the Secretary determining the Covered Entity’s compliance with the Privacy Rule, the Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity's compliance with the Privacy Rule.

IV. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE

a. Compliance with the Security Rule.  The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.

b. Subcontractors.  The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.

c. Security Incident/Breach Notification Reporting.  The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.

V. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE 

a. Notification Requirement.  To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach.

b. Content of Notification.  Any notice referenced above in Section V(a) of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach.  Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.

VI. OBLIGATIONS OF THE COVERED ENTITY  

a. Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.

b. Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

c. Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.

d. Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.

VII. TERM AND TERMINATION 

a. Term. The term of this Agreement shall be enforceable as of the Effective Date and shall terminate upon the expiration or termination of the Service Agreement.

b. Termination for Cause. Upon the Covered Entity's knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.

c. Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall continue to extend the protections of this Agreement to all PHI received from Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. Business Associate shall limit further uses and disclosures of PHI for so long as the Business Associate maintains such PHI.

d. Retention of Certain Information. The Covered Entity understands and agrees that information generated through the use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.

VIII. MISCELLANEOUS

a. Indemnification.   In the event that there is a breach of privacy with respect to PHI under this BAA, the party causing the breach will indemnify the other party and its officers and directors for all actual damages, costs and attorneys’ fees caused by the breach, including but not limited to the actual costs of providing patient notice as a result of the breach.

b. LIMITATION OF LIABILITY.  IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, COSTS OF DELAY, ANY FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR DOCUMENTATION, OR LIABILITIES TO THIRD PARTIES ARISING FROM ANY SOURCE, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

c. Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.

d. Amendments. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.

e. Survival. The respective rights and obligations of Business Associate under Article III of this Agreement shall survive the termination of this Agreement.

f. Entire Agreement. This Agreement is the entire agreement between the parties with regard to its subject matter and shall supersede any prior agreements.

g. Notice. Any notices required or relating to this Agreement shall be in writing and shall be sent by means of certified mail, postage prepaid, or reputable commercial carrier.

If to Business Associate:  Attn: Legal

                                                    9420 Key West Avenue
Suite 101
Rockville, MD 20850

                        With a courtesy email to df_legal@drfirst.com

                        If to Covered Entity: To the address set forth by Covered Entity on the electronic Invoice

COMPANY UNDERSTANDS AND ACKNOWLEDGES THAT BY COMPLETING THE ELECTRONIC INVOICE, IT AGREES TO ALL OF THE TERMS AND CONDITIONS SET FORTH IN THIS BUSINESS ASSOCIATE AGREEMENT.

PRODUCT ADDENDUM FOR IPRESCRIBE

I. Overview.

This Product Addendum (“PA”) is entered into by and between DrFirst.com, Inc. (“DrFirst”) and the entity identified on the applicable electronic invoice, including its affiliates and subsidiaries (referred to, collectively, as “Company”).  This PA is incorporated into a certain Master Subscription Agreement (“MSA”) entered into by the undersigned parties.  In the event of a conflict between this PA and the MSA, the terms of this PA shall govern. Unless otherwise defined herein, capitalized terms used in this PA shall have the meanings used in the MSA.

II. iPrescribe License.  Subject to the terms of this PA, the MSA, and applicable law, DrFirst grants to Company the number of licenses shown on the applicable electronic invoice to use and access iPrescribe, DrFirst’s mobile electronic prescription writing application and service which allows Authorized End Users to electronically prescribe medications from a mobile device.

III. DrFirst Obligations.  

a. DrFirst shall during the term of this PA comply with all applicable laws, rules, and regulations regarding the electronic prescribing of controlled substances and shall maintain any third-party audits or certifications as necessary to provide the Services.  At Company’s request, DrFirst shall provide any copies of such third-party audits or certifications for the software provided. 

b. DrFirst shall not be responsible for obtaining, on behalf of Company, any federal or state approvals to use or dispense controlled substances. DrFirst shall at no time be responsible for Company’s failure to maintain or procure any such required approvals.

c. DrFirst represents and warrants that the EPCS Gold platform is and shall be in compliance with the relevant provisions of the Drug Enforcement Agency’s Electronic Prescriptions of Controlled Substances Final Rule as codified in 21 CFR Parts 1300, 1304, 1306, and 1311 (the “DEA Regulations”).

IV. Company Obligations.

a. Company agrees to remain, and to cause all of its Authorized End Users to remain, bound by any and all obligations and restrictions set forth in any Business Associate Agreement (“BAA”) and the iPrescribe Terms of Use (“TOU”), and the terms of use for DrFirst’s EPCS and PDMP, each of which are set forth at the URLs hyperlinked in this section.

b. Terms applicable to mobile users. Company, Company’s customers, and all Authorized End Users are solely responsible for any and all charges incurred from using or accessing iPrescribe on a mobile data network. Company, Company’s customers, and Authorized End Users are responsible for ensuring the use of iPrescribe complies with any terms of use imposed by a mobile device provider or mobile network provider. 

c. EPCS.  For features related to the electronic prescribing of controlled substances, Company, for itself and its Authorized End Users, shall be responsible for obtaining any necessary state or federal approvals for prescribing or dispensing controlled substances. DrFirst expressly disclaims any liability for any damages or costs occurring as a result of Company’s failure to obtain and/or maintain any necessary approvals or certifications required by the relevant provisions of the DEA Regulations applicable to Company’s status as an individual practitioner, institutional practitioner, or pharmacy (as applicable). Company agrees to remain, and to cause all of its Authorized End Users to remain, bound by any and all obligations and restrictions set forth in any Business Associate Agreement (“BAA”) and Terms of Use (“TOU”). An Authorized End User must undergo identity proofing satisfactory to DrFirst. If Company has its own credentialing process that meets Level of Assurance (“LOA”) requirements and does not require DrFirst involvement, it may upload its Authorized EPCS End Users through DrFirst’s InfinID application for no additional charge.  In such cases, Company will manage its own credentialing process.  Otherwise, DrFirst can process Company’s credentialing through Experian for an additional fee.  In the event a token is lost, stolen or damaged and a secondary back-up token (hard or soft) is not registered to the Authorized EPCS End User’s EPCS account, the Authorized EPCS End User must undergo the identity-proofing process again and must pay a token management replacement fee regardless of whether or not the replacement token was issued by DrFirst. A complimentary token shall be provided by DrFirst for each license purchased.  A free replacement token shall be furnished for any reason within the first three months of issuance.  No warranties exist for the token after 3 months of issuance. Any additional tokens requested after 3 months of issuance shall be charged at a rate of $28 per token. Such additional tokens shall be billed to the credit card Company placed on file at the time it completed the applicable electronic invoice, and Company grants DrFirst consent to bill its credit card for this purpose. 

d. PDMP. PMDP access shall only be granted by Company request in applicable jurisdictions. If PDMP access is granted, then Company shall each require all Authorized PDMP End User to agree to the applicable click through Terms of Use, which may be modified from time to time by DrFirst. The Terms of Use are available at https://www.drfirst.com/epcs-pdmp-terms-of-use/. Further, as a condition of the grant of access, Company represents and warrants that, as applicable, it has effectuated credentialing and identity validation processes that adhere to all applicable state and federal laws and rules regarding access to PDMP information. Company agrees to contractually obligate Company’s Authorized PDMP End Users to provide DrFirst proof of its state-issued authorization to access PDMP Data, if such authorization is required by applicable law. Company agrees to coordinate with DrFirst to assist in the completion of all necessary approval documentation required for Company to gain access to the PDMP.  Company agrees that it shall not sublicense, transfer, sell, disclose, export or otherwise permit access to or use of PDMP Data acquired through the Application.  To the extent that Bamboo Health is the source of the PDMP Data, Company agrees to contractually obligate its Authorized PDMP End Users to represent and warrant that they are not currently under formal investigation, indictment, or prosecution and have not been convicted, disciplined, or sanctioned within the preceding five (5) years by any governmental entity or self-regulation program for violation of any government laws or regulations under or related to health care, drugs, or criminal acts. To the extent that Bamboo Health is the source of the PDMP Data, Company agrees, and Company agrees to contractually obligate its customers and Authorized PDMP End Users, to indemnify, hold harmless, and defend DrFirst, the National Association of Boards of Pharmacy, Bamboo Health, and each of their respective officers, directors, employees, members, contractors and affiliates from and against any losses, liabilities, costs (including reasonable attorneys’ fees), or damages resulting from any third-party claim in which any above-named party is named as a result of any access or use of the Application by Company or its Authorized PDMP End Users or Administrators. To the extent that the CURES network is the source of the PDMP Data, Company to contractually obligate Authorized End Users, which may consist of healthcare practitioners and/or pharmacists, to verify through the CURES portal that the Authorized End User’s CURES account profile is current, which shall include, at a minimum, completion of the annual update, and that the Authorized End User possesses an active CURES account. Failure of the Authorized End User to complete the annual update or maintain an active CURES account status will result in rejection of queries. For access to Washington State PDMP Data, the Authorized End User is required to have an account with onehealthport.  Company and/or the Authorized End User retains full responsibility for maintaining an account with onehealthport and for any associated costs or fees. Company agrees to remain, and to cause all of its Authorized PDMP End Users to remain, bound by any and all obligations and restrictions set forth in any Business Associate Agreement (“BAA”) and Terms of Use (“TOU”).

V. Pricing and Payment. Any fees charged for a subscription to the EP System (the “Subscription Fees”) through the electronic invoice shall be based on the the “Subscription Term) and must be paid in advance in order to access the Application.  DrFirst may offer special promotions from time-to-time.  All Subscription Fees are subject to applicable sales and other taxes and shall be non-refundable.  DrFirst reserves the right to change Subscription Fees at any time without further notice.  Such revised Subscription Fees shall become effective upon the expiration of the current Subscription Term.

VI. Term and Termination.  Subject to the termination provisions of the MSA, the term of this PA shall be the same as the term set forth on the applicable electronic invoice. At the conclusion of the initial Term of this PA and any renewal term, this PA shall automatically renew for an additional one-year Term unless either party provides notice of termination no less than 60 days prior to the conclusion of the then-current Term, and Company shall be billed in accordance with DrFirst’s then-current pricing, which may change from time to time. Company grants DrFirst permission to charge the credit card Company has on file with DrFirst at the time of any automatic renewal.

COMPANY UNDERSTANDS AND ACKNOWLEDGES THAT BY COMPLETING THE ELECTRONIC INVOICE, IT AGREES TO ALL OF THE TERMS AND CONDITIONS SET FORTH IN THIS PRODUCT ADDENDUM.