[vc_row full_width=”stretch_row”][vc_column][vc_column_text]


Business Associate will or may receive or have access to Protected Health Information (“PHI”) when providing services to 9zest users (the “Services”).
Business Associate may be required to create, access, use, maintain, or disclose PHI when providing the Services to the users of 9zest.


1.Applicable Law

9zest and Business Associate will comply with all applicable laws, including those governing the creation, use, disclosure, access, and maintenance (collectively, “Use”) of PHI. Those laws include, but are not limited to, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), Title XIII of the American Recovery and Reinvestment Act, state data privacy and security laws applicable to the PHI, and the accompanying regulations (collectively, as modified from time to time, the “Applicable Laws”). The terms capitalized in this Agreement have the meanings set forth in the Applicable Laws and in this Agreement. The term Business Associate has the same meaning as provided in the Applicable Laws and specifically refers to the party identified above. .

2. Use and Disclosure of PHI

Information You Provide to Us

  1. Permitted Use. Business Associate may Use PHI only for (i) the provisioning of Services to users of 9zest, (ii) as set forth in this Agreement, and (iii) as required by law (collectively, the “Permitted Uses”).

  2. Prohibited Use. This Agreement prohibits any Use of PHI beyond Permitted Uses (collectively, the “Prohibited Uses”). Business Associate will limit its Use of PHI to the minimum necessary to perform the Services for users of 9zest and will not store or maintain PHI outside the United States. This Agreement prohibits de-identification or aggregation of PHI unless specifically permitted by 9zest user/ 9zest in writing.

  3. Use of Offshore Resources. Subject to Section 2.B. above, Business Associate may use offshore resources to perform the Services under this Agreement, but will do so only in compliance with any guidelines provided by 9zest user and upon written approval of 9zest user. To the extent that personnel of the Business Associate outside the United States may be required to have access to PHI, such individuals outside the United States will not have the ability to save, duplicate, copy, or print PHI.

  4. Privacy Rule Compliance. To the extent Business Associate is to carry out one or more of 9zest’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to 9zest in the performance of such obligation(s).

  5. Remuneration. Except as otherwise allowed in this Agreement and Applicable Law, Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI.

  6. Standard Transactions. To the extent that Business Associate submits Standard Transactions on behalf of 9zest, or assists 9zest with the submission of Standard Transactions, Business Associate will comply with HIPAA’s Transaction and code set Standards for such Transactions.

3. Duty to Safeguard PHI

  1. Business Associate’s Duty. Business Associate will use all appropriate administrative, physical, and technical safeguards, including compliance with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent any Prohibited Use and any Breach or Security Incident.

  2. Examples of Appropriate Safeguards. Applicable Laws define appropriate safeguards, which include measures reasonably calculated to prevent Prohibited Uses, Breaches and Security Incidents, such as, at a minimum, minimum restricted area-access, locked areas, and password-protected computer access.

4. Subcontractors

Most mobile platforms (iOS, Android, etc.) have defined certain types of device data that apps cannot access without your consent. And these platforms have different permission systems for obtaining your consent. The iOS platform will alert you the first time the 9zest app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the 9zest app seeks before you first use the app, and your use of the app constitutes your consent.

  1. Business Associate may use subcontractors only upon written approval of 9zest user.

  2. Business Associate will enter into a written contract with each agent and subcontractor receiving PHI under this Ag eement and will keep a copy of each contract for ten years after the contractual relationship between Business Associate and that agent or subcontractor ends. Each contract will bind the agent or subcontractor to do the following:

    1. To agree to the same terms that apply to Business Associate’s use and disclosure of PHI under this Agreement;

    2. To report to Business Associate as soon as possible, but no later than within twenty-four (24) hours, after it knows of a Prohibited Use, Disclosure, Breach or a Security Incident (the report must include at least the same information that Business Associate is required to provide to 9zest under Section 5.B of this Agreement);

    3. To mitigate, to the extent practicable and as soon as possible, any harmful effect from a Prohibited Use, Breach or Security Incident that is known to Business Associate;

    4. To implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the PHI and to prevent Breaches or Security Incidents; and

  3. Business Associate will maintain, for at least ten years after the relationship terminates, a list of all disclosures to agents or subcontractors as provided in Section 7 of this Agreement. Upon request, Business Associate will provide 9zest a list of Business Associate’s subcontractors and agents that perform any Service.

5. Reporting and Mitigating.

  1. Reporting Duties. Business Associate will report to 9zest as soon as possible, but no later than twenty-four hours, after Business Associate knows of a Prohibited Use, Breach or a Security Incident. For reporting purposes under this Section 5, Business Associate does not need to report separately as a Security Incident any unsuccessful attempt to gain access to the PHI, but instead hereby reports that such unsuccessful Security Incidents occur. Examples of unsuccessful attempts to gain access to the PHI include, but are not limited to, pings, and other broadcast attacks on Business Associate’s firewall, port scans, log-on attempts, denials of service, and any combination of the above. This reporting duty does not relieve Business Associate in any degree of its duty to safeguard the PHI and to prevent any Prohibited Use and any Security Incident.

  2. Content of Report. The report of a Prohibited Use, Breach or Security Incident will include at least the following information:

    1. The date of the Prohibited Use, Breach or Security Incident;

    2. If PHI was disclosed or accessed, the name, address, and phone number of each entity and person who disclosed, accessed, or received PHI;

    3. If a Breach or Security Incident occurred, details about who may have caused the Breach or Security Incident and how it occurred;

    4. Personalize and improve the Services, including to provide or recommend features, content, social connections, referrals, and advertisements.

    5. A description of the PHI accessed, used, or disclosed;

    6. A brief statement of the circumstances of the Breach or Security Incident or of the circumstances and the purpose of the Prohibited Use; and

    7. The corrective action Business Associate took or will take to prevent a continuing or similar Prohibited Use, Breach or Security Incident.

  3. Mitigating. Business Associate will mitigate, to the extent practicable and as soon as possible, any harmful effect known to Business Associate of a Prohibited Use, Breach or Security Incident. Business Associate will preserve forensic evidence relating to a Prohibited Use and to a Breach or Security Incident.

  4. Investigation. Business Associate will cooperate with 9zest in any investigation of a Prohibited Use, Breach or a Security Incident.

6. Requests to Access or Amend PHI

  1. Requests to Access or Amend. If the Services require Business Associate to maintain a Designated Record Set, then Business Associate might receive a request from a person to inspect, copy, or amend PHI. If that happens, Business Associate will not release PHI to that person, or amend PHI as requested, but will forward that request in writing to 9zest within five days of receiving it. 9zest will determine how to respond to each request.

  2. 9zest Requests. Within five business days of 9zest’s request for PHI, Business Associate will provide the requested PHI to 9zest.

7. Accounting of Disclosures

  1. Duty to Account for Disclosure. Business Associate will keep a record of all Disclosures of PHI as required by Section 45 C.F.R. 164.528, as amended.

  2. Fifteen Days. Business Associate will provide a Disclosure Accounting to 9zest within 15 business days of receiving a request from 9zest.

8. Term and Termination

  1. Term. This Agreement begins on the Effective Date and continues until terminated under Section 8.B, below or until Business Associate ceases to be 9zest’s Business Associate.

  2. Termination.

    1. If 9zest determines in good faith that Business Associate has violated a material term of this Agreement, or has failed to comply with any 9zest security guidelines, 9zest may give Business Associate a period of up to 15 days to cure the violation, if cure is possible. If Business Associate fails to cure within the time required, or if cure is not possible, then 9zest may terminate this Agreement or any services related to this Agreement

    2. Upon termination, Business Associate will return or, with 9zest’s prior written permission, destroy all PHI and will not retain, nor allow any of its agents or subcontractors to retain, any PHI in any form (including de-identified or aggregated data derived from the PHI). Further, Business Associate will certify in writing to 9zest that Business Associate (including its agents and subcontractors) has returned or, with permission, destroyed all 9zest PHI, unless destruction is infeasible, as this Agreement requires. But if 9zest agrees that the return or destruction of PHI is infeasible and determines that Business Associate’s plan to safeguard the confidentiality and security of PHI is acceptable, 9zest may permit Business Associate to retain the PHI for the specific and limited purpose that makes return or destruction of the PHI infeasible. Specifically, Business Associate shall:

      1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

      2. Return or, with 9zest’s prior written permission, destroy the remaining PHI that Business Associate still maintains in any form;

      3. Continue to use appropriate safeguards to comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Agreement, for as long as Business Associate retains the PHI.

      4. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in this Agreement which applied prior to termination; and

      5. Return to 9zest or, with 9zest’s prior written permission, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

    3. Business Associate’s duty to destroy PHI, as stated in Section 8 B(2), above, includes, but is not limited to, the following obligations:

      1. destroying all copies of PHI including backup tapes and other electronic backup medium; and

      2. destroying all electronic PHI in any form by “clearing (which requires making a minimum of 3 passes), “purging,” or “physically destroying,” that PHI in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88 or in another manner approved in advance by 9zest.

9. Books and Records

  1. Audit. 9zest and its customers have the right to review all of Business Associate’s records relating to Business Associate’s compliance with this Agreement. 9zest and its customers will pay the expense of an onsite audit. But if 9zest or its customers discover as a result of the audit a material breach of this Agreement, then Business Associate will reimburse 9zest and its customers for the expense of the audit. Additionally, from time to time, 9zest may request an attestation of Business Associate’s compliance with this Agreement and Applicable Laws. If 9zest requests that attestation, Business Associate will provide it within 30 days of 9zest’s request. 9zest will provide the form of the attestation described above. Under this Section 9, the term records includes, but is not limited to, all documentation, policies, agreements, logs, procedures, and internal audits relating to this Agreement. 9zest will give Business Associate at least thirty (30) days advance written notice unless cause shown, of a review and will conduct the review at Business Associate’s place of business during normal business hours. Business Associate shall also permit 9zest’s customers, or the agents and designated representatives of its customers, to review all of Business Associate’s records and conduct any such visits, inspections, examinations, audits and verifications with respect to the Services as the 9zest customer may request.

  2. Government Access. Business Associate will make available to the Secretary of the Department of Health and Human Services all records requested by the Secretary or the Secretary’s designee for purposes of determining compliance with HIPAA. Neither Business Associate nor 9zest waives any attorney-client, accountant-client, or other legal privilege or confidentiality as a result of this Section 9.B.

10. Amendment

  1. Required by Law. If an Applicable Law requires a change in this Agreement, the parties will consider that change to be made automatically, but only to the minimum extent required by that Applicable Law. Either party will provide notice to the other party of any changes to this Agreement resulting from Applicable Law.

  2. Amendment by the Parties. The parties may amend this Agreement in writing. If Business Associate and 9zest cannot agree on an amendment that 9zest considers necessary for a party to meet its obligations under Applicable Law, or any of 9zest’s customer engagements, then either party may terminate this Agreement and any Services or services associated with this Agreement by giving written notice of termination to the other party.

11. Ownership of Information

9zest owns and retains ownership of all information, including but not limited to PHI, that is disclosed to or created by Business Associate under this Agreement. Business Associate acquires no title or right under this Agreement to any information, including but not limited to any de-identified or aggregated PHI.

12. Indemnification

  1. Business Associate agrees to indemnify and defend 9zest and its affiliates, directors, officers, employees, contractors, agents and other workforce members, as well as 9zest’s customers, from and against every claim, cause of action, obligation, liability, judgment, damage, loss, cost, expense, and fee (including without limitation reasonable attorneys’ fees) arising from or relating to claims resulting from Business Associate’s breach of this Agreement, any Breach or Security Incident, negligent or wrongful acts, or omissions, including without limitation Business Associate’s failure to perform its obligations under the Applicable Laws. Any such liabilities, judgments, damages, losses, costs, expenses and fees incurred by 9zest or its customers are direct damages payable by Business Associate hereunder.

  2. No other agreement between the parties alters a party’s liability under this Agreement.

  3. Business Associate does not have the authority to enter into any settlement without 9zest’s written consent if the settlement includes any admission of fault on the part of 9zest or any of its customers, or creates any obligation binding 9zest or its customers.

  4. Between 9zest and Business Associate, Business Associate is liable for the actions and inactions of each of the Business Associate’s agents and subcontractors.

  5. Business Associate is responsible for 9zest’s or its customers’ liabilities, costs and expenses incurred that result from Business Associate’s breach of this Agreement, any Breach or Security Incident, or any actions, inactions or omissions of Business Associate, and any violations of Applicable Laws, including but not limited to any costs and expenses incurred by 9zest, or liabilities to 9zest’s customers, associated with notification to affected individuals and credit monitoring services, as well as any other actions undertaken to remediate the effects of any breach of this Agreement. Any such costs, expenses and liabilities are direct damages payable by Business Associate.

13. Injunctive Relief

9zest is entitled to obtain, without bond, injunctive and other mandatory judicial relief against Business Associate to restrain and prevent any threatened, possible, or likely Prohibited Use. This remedy is in addition to any other legal or equitable remedies to which 9zest may be entitled.

14. Legally Required Disclosure

Business Associate will preserve forensic evidence relating to each Prohibited Use and to each Security Incident. Also, Business Associate will notify 9zest in writing before providing the PHI to any third party under a judicial or governmental request, and will cooperate with 9zest, as 9zest reasonably requests, in seeking a protective order or limiting the effect of that disclosure.

15. Assignment

Business Associate may not assign this Agreement without 9zest’s prior written consent. Any attempt by Business Associate to assign any of its rights or delegate any of its duties under this Agreement without 9zest’s prior written consent will be null and void and will entitle 9zest, in its sole discretion, to terminate this Agreement without liability to, or recourse by, Business Associate. 9zest may freely assign and delegate any of its rights and obligations under this Agreement without restriction. Subject to the limitations on assignment set forth in this Section, this Agreement will apply to, be binding upon, and inure to the benefit of, the successors and permitted assigns of the parties.

16. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the state of Delaware without reference to conflict of laws principles. This Agreement may not be amended except by a writing signed by both parties hereto. The courts of the state of Delaware , or the federal courts of the United States situated therein, as applicable, shall have sole and exclusive jurisdiction over any action, claim, demand, proceeding or lawsuit whatsoever arising under or in relation to this Agreement or its subject matter. The parties irrevocably agree, consent and submit themselves to the subject matter and personal jurisdiction of such courts for such purposes, and agree not to plead or claim in such courts that any such action has been brought in an inconvenient forum.

17. Training

Business Associate will train its personnel whose services may be used to satisfy Business Associate’s obligations under this Agreement regarding the terms of this Agreement.

18. Correspondence

9zest will send any reports or notices required under this Agreement to the Business Associate’s email address registered with 9zest. Business Associate will send any reports or notices required under this Agreement to the 9zest’s address listed below.

Attn: Legal Department
8 The Green, Suite #5910
Dover, DE 19901

19. Conflict of Terms

If there is a conflict between the terms of this Agreement and any underlying agreement between the parties, the terms of this Agreement prevail. No term in any other document, including an invoice, purchase order, or work order, modifies this Agreement.

20. Survival

If this Agreement expires or is terminated, the following Sections will survive: 3, 4, 5, 6, 7, 8B, 9, 11, 12, 13, 14, 15, and 16.