Master Services Agreement

The Fortified services are subject to and governed by the terms and conditions set forth in this Master Services Agreement (the “Agreement”).  By executing a Work Order which incorporates this Agreement, you are representing to Fortified that you are: (i) authorized to bind Client (as defined below) and (ii) agreeing to the terms and conditions contained herein.

This Agreement is a binding agreement between you, a legal entity (“Client” as defined in the applicable Work Order) and Fortified Health Security (“Fortified”),  and is effective upon Client’s execution of a Work Order that incorporates this Agreement (“Effective Date”).

  1. Engagement of Services.  This Agreement provides the terms and conditions on which Fortified will provide services to the Client.  Fortified will perform services through individual separate engagements which shall be described in Work Orders to be executed by the parties. Each Work Order shall describe the scope of work to be performed, the time period for performance, the compensation to be paid, payment and invoicing schedules, and any other terms and conditions applicable to the Work Order.  The services as described in Work Order(s) executed hereunder shall be referred to as “the Services.”  In the event of any conflict between the terms of a Work Order and the terms of this Master Services Agreement, the terms of the Work Order shall prevail.
  2. Compensation.  Fortified shall be compensated for Services performed as set forth in each Work Order.
  3. Invoicing and payment.  Fortified shall invoice for Services as provided in each Work Order.  Payment is due upon Net thirty (30) days from receipt of invoice.  In the event that payment is not received within thirty (30) days of the date of an invoice, Fortified shall be entitled to charge interest on the outstanding balance at the rate of one and one half percent (1.5%) per month, or the maximum rate permitted by law, whichever is less.  In the event that Fortified institutes legal action to collect unpaid amounts, Fortified shall be entitled to recover its costs of collection, including attorney fees.
  4. Quality of Work.  Fortified shall perform the Services in a professional and workmanlike manner, exercising the level of care and skill customarily exercised by information security professionals performing similar services under similar conditions.
  5. Trade Secrets and Confidential Information. 

            a. During the term of this Agreement, each party (a “Receiving Party”) may have access to and may become familiar with various trade secrets and confidential information of the other party (the “Disclosing Party”), including without limitation financial, operational and development information, reports, data compilations, threat and risk analysis and reporting, software and computer programs and related source codes, object codes and documentation, patient and employee data, processes, policies and procedures, customer lists, prospective customer information, employee lists and prospective employee data that are owned by the Disclosing Party or in which the Disclosing Party has property or license rights (all of such items contained in any tangible or electronic form, or communicated verbally or visually, herein referred to as the “Confidential Information“).

            b. Notwithstanding the foregoing, Confidential Information shall not include (i) information which is or becomes generally available to the public other than as a result of disclosure by the Receiving Party, (ii) becomes available to the Receiving Party on a non-confidential basis from a source not bound by an obligation of confidentiality to the Disclosing Party, (iii) was known to the Receiving Party prior to its disclosure by the Disclosing Party, or (iv) is developed independently by the Receiving Party without reference to the Disclosing Party’s Confidential Information.

            c. The Receiving Party shall not, either during the term of this Agreement or at any time thereafter, use the Confidential Information in any way other than in connection with the performance or receipt of services, or in the management of its business, or as required by law, nor disclose any of the Confidential Information, directly or indirectly, other than to its employees, subcontractors or affiliates who have a need to access to such information in connection with the performance or receipt of services, or in the management of its business, or as required by law.  The Receiving Party shall take commercially reasonable measures to protect the security and prevent the improper disclosure of Confidential Information, which shall in no event be less rigorous than those utilized by the Receiving Party to protect its own Confidential Information.  The Receiving Party shall disclose the Confidential Information only to those employees, agents or representatives having a need for access to the Confidential Information as defined above, and who are bound by obligations of confidentiality and non-disclosure that are no less stringent than those contained herein.

            d. It is specifically acknowledged and understood by Client that Fortified’s web portal concept, design, and functionality (the Fortified “Dashboard”) is a trade secret of Fortified, and, as such, constitutes Confidential Information under this Agreement, and will be treated by Client accordingly.

            e. Confidential Information may be disclosed by the Receiving Party as required by law, provided that the Receiving Party shall provide the Disclosing Party prompt advance notice of the legal requirement for disclosure, so that the Disclosing Party may seek a protective order, or other legal relief.

            f. Upon termination of this Agreement all Confidential Information in the Receiving Party’s custody or control shall be immediately returned to the Disclosing Party, or, at Disclosing Party’s option, destroyed; and the Receiving Party shall destroy all records, notes, compilations and other documentation (on all forms of media) containing Confidential Information of the Disclosing Party. 

            g. The parties each acknowledge that there may be no adequate remedy at law for its failure to comply with the terms of this Section.  Accordingly, in the event a Receiving Party fails to comply with these terms, the Disclosing Party shall have the right, without prejudice to any other rights or remedies available to it, to seek equitable relief to enforce and protect its rights hereunder, by way of temporary restraining order or injunction, and such other alternative relief as may be appropriate, without the necessity of posting any bond or surety.

6. Mutual Non-Solicitation Obligations.  Each party agrees that it shall not, without the prior written consent of the other party, solicit to hire nor hire any employee or contract consultant of the other party who has been involved, during the prior twelve-month period, in the performance or the receipt of Services hereunder.

7. Fortified Representations and Warranties

a. Fortified represents and warrants (a) that there are no other agreements of any nature with any person or entity which would prevent Fortified from entering into this Agreement, and (b) that Fortified has made no outstanding assignments, grants, licenses, encumbrances, obligations or agreements, either written, oral or implied, inconsistent with this Agreement.

b. Except as expressly provided herein, the Services are performed without warranty, express or implied, and there is no warranty of merchantability or fitness for a particular purpose.  IT IS EXPRESSLY UNDERSTOOD THAT FORTIFIED’S PRODUCTS AND SERVICES ARE DESIGNED TO ASSIST CLIENT TO OPTIMIZE CLIENT’S DATA SECURITY PRACTICES BUT THERE IS NO GUARANTY AGAINST THE occurrence OF A SECURITY INCIDENT OR A DATA BREACH.

8. Independent Contractor.  Fortified is an independent contractor to Client:

            a. Fortified shall be responsible for paying any federal, state, or local payroll, social security, disability, workers’ compensation, self-employment insurance, income and other taxes or assessments imposed in connection with Fortified employees.

            b. Fortified shall not be treated, nor seek to be treated, as an employee of Client for any purpose. Fortified and its employees and agents shall not be eligible to participate in Client’s workers’ compensation, unemployment, disability, medical, dental, life or any other insurance programs, or any other benefit or program that is sponsored, financed or provided by Client for its employees.

            c. Neither Fortified nor any employee of Fortified shall hold any appointed office or title in Client’s organization, and, specifically, neither Fortified nor any employee of Fortified shall serve or act as Client’s Security Officer or Privacy Officer; nor does Fortified assume any responsibilities associated with such positions.

9. Indemnification. 

            a. Fortified shall indemnify, hold harmless and defend Client from, any and all costs, liabilities, damages, attorneys’ fees, or expenses of any kind that are caused by the breach by Fortified of the obligations contained in the foregoing sections 8(a) and 8(b).

            b. Fortified shall indemnify, hold harmless and defend Client from, any and all costs, liabilities, damages, attorneys’ fees, or expenses of any kind that arise out of a claim alleging that any deliverable provided by Fortified to Client hereunder, excluding all Client products and services and third-party products or services or works of authorship or inventions, infringe a validly existing U.S. patent or copyright, or other intellectual property right of a third party.  Should such deliverable become, or be likely to become, in Fortified’s opinion, the subject of infringement of such patent, copyright or other intellectual property right, Fortified shall procure for Client (i) the right to continue using the same, or (ii) replace or modify it to make it non-infringing, provided that the replacement or modification performs the same functions and matches or exceeds the performance and functionality of the original deliverable at no additional cost to Client.  In the event that Fortified shall reasonably determine that neither (i) nor (ii) above is commercially practicable, Client shall return the infringing deliverable and Fortified shall refund the fees and expenses paid by Client to Fortified for such Work Product.  Fortified shall have no obligation or liability for any claim based upon or resulting from (A) the use, operation or combination of the deliverable with non-Fortified programs, data, equipment or documentation if such infringement would have been avoided but for such use, operation or combination; (B) modification of the deliverable, unless such modification has been performed by Fortified or at its direction; (C) the non-compliance with Fortified’s designs, specifications or user documentation; or (D) information, direction, specifications or materials provided by Client or by a third party not under Fortified’s control.  The foregoing states the entire liability of Fortified and the exclusive remedy of Client with respect to infringement of any third-party intellectual property rights, whether under theory of indemnity, breach of contract, warranty or otherwise.

            c. Fortified shall indemnify, hold harmless and defend Client from, any and all costs, liabilities, damages, attorneys’ fees, or expenses of any kind arising out of a third party claim based upon the wrongful death or personal injury of any person (except as otherwise provided in Section 19, below), or the physical damage to property caused by the negligent acts or omissions or willful misconduct of Fortified in the course of performance of this Agreement; provided that, Fortified shall not be obligated to indemnify, hold harmless or defend Client under this Section 11 to the extent a claim arises from the negligent acts or omissions, or willful misconduct of Client, its employees, agents or contractors.

10. Business Licenses. Fortified shall obtain and maintain all business licenses necessary for Fortified to perform the Services hereunder.

11. Duties of Client. 

            a.  Client shall provide reasonable support to allow Fortified to perform the Services in a timely manner, including the following: access to facilities and systems; information and access to client personnel; a reasonable work environment; timely responses to requests for information.  It shall be Client’s responsibility to maintain system security, network and IT infrastructure and protect Client data, including, without limitation, endpoint protection, data backup and reasonable security procedures.

            b.  Client shall identify, to Fortified, Client’s named information security official whom is responsible for the development and implementation of the policies and procedures required by HIPAA.

12. Removal of Personnel.  In the event that Client reasonably requests in writing the removal of any resource supplied by Fortified, Fortified shall promptly remove such person.  Fortified shall within a reasonable period of time replace the resource with a resource having equal or better qualifications.

13. HIPAA.  Fortified understands that in the course of performing Services hereunder, Fortified may have access to Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, 45 C.F.R. Parts 160 – 164) (“HIPAA”).  Fortified agrees that in such event it shall be deemed a Business Associate of Client as provided under HIPAA and Fortified agrees to the terms of the Business Associate Agreement attached hereto as Attachment A.

14. Term and Termination.

a.  This Master Service Agreement shall commence on the Effective Date and shall remain in effect until terminated by a party as provided herein.  This Agreement may be terminated (i) by either party for convenience upon thirty (30) days’ written notice or (ii) by the non-breaching party in the event of a material breach which is not cured by the breaching party within ten (10) days following written notice of breach provided by the non-breaching party (specifying in reasonable detail the act(s) or omission(s) claimed to constitute the breach). Upon any termination of this Agreement each party shall be released from all obligations and liabilities to the other occurring or arising after the date of such termination, except that: (x) no termination of this Agreement for convenience by Client shall have the effect of terminating any Work Order in effect at the time of such termination that, by its terms, may not be terminated for convenience, and the terms and conditions of this Agreement shall continue to govern any such Work Order(s) until such Work Order(s) expire or are terminated as may be provided for therein; and (y) any termination of this Agreement shall not affect the parties’ rights and obligations under all sections of this Agreement that by their nature are intended to survive termination or expiration of the Agreement, nor shall any such termination relieve either party from any liability arising from any breach of this Agreement, as the case may be.  Client shall be responsible for payment for Services provided prior to the effective date of termination.

b.  In the event of expiration or termination for any reason of this Agreement, and upon completion or termination for any reason of any Work Order hereunder, Fortified shall immediately make available, for legal and physical transfer to Client, all copies or embodiments of any Deliverables, regardless of the state of completion.  Client shall remain responsible for all payments due.  Furthermore, upon termination, or at any time upon Client’s request, all Client Confidential Information, and all reproductions, copies and embodiments thereof, shall also be immediately returned by Fortified to Client or destroyed.  Moreover, Fortified shall cease all work hereunder (or, in the event of termination of a Work Order, cease all work under such Work Order), and, unless otherwise provided in a Work Order, Client will be obligated to pay only for Services performed and costs actually incurred prior to the termination date.  As used herein, “Deliverables” means tangible materials prepared by Fortified for delivery to Client as expressly provided in a Work Order, such as reports, compilations or analyses

15. Force Majeure.  Neither party shall be liable to the other for a failure to perform hereunder to the extent that such failure is caused by fire, earthquake, flood, riot, insurrection, war, act of terror, epidemic, or other cause beyond the reasonable control of the party whose performance has been affected.

16. Taxes.  Client shall be responsible for payment of all sales, use, excise and other taxes levied in connection with the Services, except that Fortified shall be responsible for taxes based upon Fortified’s income, and for payroll taxes levied in connection with Fortified employees.

17. Limitation of Liability. FORTIFIED’S TOTAL LIABILITY TO CLIENT, WHETHER IN CONTRACT OR IN TORT OR UNDER ANY OTHER CAUSE OF ACTION (INCLUDING, WITHOUT LIMITATION, BREACH OF WARRANTY, NEGLIGENCE AND STRICT LIABILITY IN TORT) SHALL BE LIMITED TO AN AMOUNT NOT TO EXCEED, IN THE AGGREGATE FOR ALL CLAIMS, THE TOTAL DOLLAR AMOUNTS PAID TO FORTIFIED DURING THE TWELVE MONTH PERIOD IMMEDIATELY PRECEDING THE ACCRUAL OF THE CLAIM, UNDER THE WORK ORDER in connection with which such claim(s) arose.  IN NO EVENT shall either party be liable to the other party for any special, indirect, consequential, exemplary or punitive damages, INCLUDING LOSS OF PROFITS OR GOODWILL, Data BREACH OR LOSS OF DATA, in any forum for any claim or loss arising out of or related to this Agreement, even if such party IS advised in advance of the possibility of such damages.

18. Medical Liability Disclaimer.  The parties recognize that the services performed hereunder may impact the flow of information being provided to physicians and other clinical personnel at Client.  Reliance by Client upon services provided by Fortified, or by systems or protective measures that Fortified has provided or worked on shall not diminish the responsibility of Client for medical treatment, patient care and clinical outcomes.  As between Client and Fortified, Client shall have sole responsibility for medical treatment of patients and clinical outcomes. Client shall indemnify, hold harmless and defend Fortified from and against any third-party claim, loss, liability or damages arising out of any medical treatment, patient care or related activities of Client.

19.  General Terms.

            a. This Agreement and the applicable Work Order constitutes the complete agreement between Client and Fortified with respect to the Services, superseding any previous oral or written agreement, arrangement or understanding between the parties. This Agreement shall be governed by the laws of the State of Tennessee without reference to choice of law principles.  The exclusive jurisdiction for any legal proceeding regarding this Agreement shall be the state and federal courts having jurisdiction in Client’s city and state as identified herein, and in the Williamson County Circuit Court, Tennessee or United States District Court for the Middle District of Tennessee, and the parties expressly agree that jurisdiction and venue are proper in said courts. 

            b. Fortified reserves the right to change or amend the terms of this Agreement from time to time, without prior written notice to Client. This Agreement may only be amended by Client through a written amendment signed by both parties.

            c. As Client has specifically contracted for Fortified’s services, Fortified shall not assign any of its rights or any of its obligations under this Agreement without the prior written consent of Client; provided however that Fortified may, without Client’s consent, assign this Agreement to any entity that acquires Fortified by merger, acquisition or purchase of substantially all of the assets of Fortified.  Subject to the foregoing, this Agreement shall inure to the benefit of the successors and assigns of Client and shall be binding upon Fortified’s successors and permitted assigns.

            d.  Client understands and agrees that the resources provided by Fortified for the performance of Services hereunder may be employees or subcontractors of Fortified.

            e. Any notices required or permitted hereunder may be given to the appropriate party by email and by certified mail, postage prepaid, return receipt requested or by nationally recognized overnight courier service, at the address specified below or at such other address as the party shall specify in writing.  Notices shall be deemed effective upon receipt regardless of the method of transmittal.

            If to Fortified:

                                    Fortified Health Security

                                    2550 Meridian Blvd.

                                    Suite 190

                                    Franklin, TN 37067    

                                    Attn: CEO

            With an additional copy (email) to:

            If to Client: The address of Client’s principal place of business or administrative offices.

Either party may change the designated address for receipt of notices by notifying the other party in writing of such change.

Attachment A:  Business Associate Addendum

This Business Associate Agreement (“Agreement”) is entered into between Fortified Health Security (“Business Associate”) and Client and is effective upon the Effective Date of the Agreement.  Business Associate and Client are parties to certain underlying agreements whereby Business Associate performs services on behalf of Client that may involve the use and disclosure of Protected Health Information.  This Agreement defines the parties’ obligations with respect to Business Associate’s use and disclosure of Protected Health Information.

1.   Definitions.  As used herein, the following terms shall have these designated meanings:

1.1 “Breach” has the same meaning as set forth in Section 13400 of HITECH and shall include the unauthorized acquisition, access, use or disclosure of PHI that compromises the security and/or privacy of such PHI.  Any impermissible use or disclosure of Unsecured PHI is presumed to be a Breach requiring notification, except where an exception exists or where a Business Associate or Covered Entity, as applicable, demonstrates that there is a low probability that Unsecured PHI has been compromised based on a risk assessment, involving the analysis of required factors, that there is a low probability that the Unsecured PHI has been compromised: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the protected health information or to whom the disclosure was made; (iii) whether the protected health information was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated.

1.2 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.

1.3 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the “Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; and Other Modifications of the HIPAA Rules.”

1.4 “HITECH” means the Health Information Technology for Economic and Clinical Health Act, a portion of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder.

1.5 “Privacy Standards” means the Standards for Privacy of Individually Identifiable Health Information promulgated by the US Department of Health and Human Services, 45 CFR Parts 160 and 164 as may be amended from time to time.

1.6 “Protected Health Information” or “PHI” means information that is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse that relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual or the past, present or future payment for the provision of healthcare to an individual and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

1.7 “Security Standards” means the Security Standards promulgated by the US Department of Health and Human Services, 45 CFR Parts 160 and 164 as may be amended from time to time.

1.8 “Underlying Agreement(s)” means any contract or agreement between Client and Business Associate whereby Business Associate supplies goods and/or services to or on behalf of Client.

1.9 “Unsecured Protected Health Information” or “Unsecured PHI” means PHI that is not secured through the use of a technology or methodology specified by the Secretary of the US Department of Health and Human Services pursuant to HITECH.

2. Use and Disclosure of Protected Health Information.  Except as otherwise stated herein, Business Associate shall use and disclose Protected Health Information only as required to perform its obligations under the Underlying Agreement(s).  Business Associate shall not, and shall ensure that its employees, contractors, subcontractors and agents do not, use or disclose PHI received from Client in any manner that would violate the Privacy Standards or Security Standards if so used by Client.  Business Associate is responsible for full compliance with the Privacy Standards and Security Standards, as required by HITECH, to the same extent as Client.

3. Business Associate’s Responsibilities Regarding Protected Health Information.  With regard to its use and/or disclosure of Protected Health Information, Business Associate agrees to:

a. use and/or disclose PHI only as permitted by this Agreement or as required by law;

b. use appropriate safeguards to prevent unauthorized use or disclosure of PHI, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that Business Associate creates, receives, maintains or transmits on behalf of Client;

c. comply, where applicable, with HIPAA Standards with respect to Electronic Protected Health Information to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement

d. promptly report to Client (i) any use or disclosure of PHI of which Business Associate becomes aware that is not permitted or required by this Agreement; (ii) any security incident or incident that compromises or could compromise the confidentiality, integrity and availability of Electronic PHI created, received, maintained or transmitted on behalf of Client; and/or (iii) any Breach of Unsecured PHI, including identifying each individual whose information has been or is reasonably believed to have been subject to the Breach, and sufficient details concerning the nature of the breach, the date it occurred and the date of discovery, the type of information involved and the steps Business Associate is taking to investigate, remediate and mitigate against further damage or losses.  Business Associate will notify Client of any of the above events no later than five (5) business days after Business Associate becomes aware of such event;

e. in the event of a security incident involving Electronic PHI or a Breach of Unsecured PHI, mitigate to the extent practicable any harmful effects of such incident or breach;

f. require all its employees and agents that receive, use or have access to PHI to agree in writing to appropriately safeguard PHI in accordance with the requirements of the applicable requirements of § 164.504(e) 

g. ensure, in accordance with 45 CFR § 164.502(e)(1)(ii) and 164.308(b)(2), that any subcontractors that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to the Protected Health Information, including complying with the applicable Security Regulation requirements.

h. make available its internal practices, books and records relating to the use and disclosure of PHI to the Secretary of HHS for purposes of determining the parties’ compliance with HIPAA and /or HITECH;

i. within ten (10) business days after receiving a written request from Client, provide to Client such information as is requested and necessary to enable Client to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with HIPAA.  Such information shall include, at a minimum, the date of any disclosure by the Business Associate, the name and address of the entity or person to whom disclosure was made, a description of the PHI so disclosed and a description of the purpose for which such disclosure was made.  Business Associate agrees to implement appropriate record keeping processes to enable it to comply with the requirements of this section;

j. make available PHI in its possession for amendment and/or incorporate any such amendments or corrections into the PHI in accordance with the HIPAA regulations;

k. promptly report to Client any subpoena, court or other administrative order or discovery request calling for release or disclosure of PHI so that Client will have an opportunity to seek protective relief or otherwise direct Business Associate’s response to such request;

l. upon termination of this agreement, return to Client or destroy all PHI in its possession maintained or stored in any form or media, and retain no copies, if it is feasible to do so.  If return or destruction is not feasible, Business Associate agrees to extend all protections contained in this Agreement to its use and or disclosure of any retained PHI following termination of this Agreement, and to limit all further uses and/or disclosures to those purposes that make the return or destruction of the PHI not feasible.

4.   Permitted Uses and Disclosures of PHI.  Notwithstanding the restrictions and conditions upon the use and/or disclosure of PHI set forth herein, Business Associate may use PHI for its proper management and administration and to fulfill Business Associate’s legal responsibilities.

5.   Minimum Necessary Representation.  Business Associate represents and warrants that it shall request, use and/or disclose only the amount of PHI that is minimally necessary to perform its obligations under the Underlying Agreement(s).  In addition, Business Associate represents and warrants that it will institute and implement policies and practices to limit its uses and disclosures of PHI to that which is minimally necessary to perform its obligations under the Underlying Agreement(s).

6.   Client’s Responsibilities.  Client agrees to notify Business Associate promptly in writing of any arrangements between Client and any individual who is the subject of PHI that may impact Business Associate’s use and disclosure of PHI under this Agreement.

7.   Termination.  In addition to any other rights or remedies Client may have under this Agreement or at law or in equity, Client may terminate this Agreement if Business Associate has breached a material term of this Agreement, which has not been cured within ten (10) days of the date of notice of breach.  In such event, Client, in its sole discretion, may also terminate any and all Underlying Agreements that require use and/or disclosure of PHI by Business Associate. This Agreement shall terminate automatically if there is no Underlying Agreement in effect that requires use and/or disclosure of PHI by Business Associate.

8.   Injunctive Relief.  The parties stipulate that any unauthorized use and/or disclosure of PHI could cause Client irreparable harm.  Therefore, in such event, Client shall be entitled to such injunctive relief as shall be deemed appropriate by a court of competent jurisdiction without a requirement for posting of bond.  Such injunctive relief shall be available in addition to any other rights or remedies available at law or in equity.

9.   Indemnification.  Business Associate shall indemnify, defend and hold harmless Client for any and all claims, inquiries, costs or damages incurred by Client arising from a violation by Business Associate of its obligations under this Agreement.  Client shall give Business Associate prompt written notice of any claim or other action for which it intends to seek indemnification.

10. Miscellaneous.

10.1 Amendments.  Any amendment, addendum or modification to this Agreement must be in writing signed by the parties.

10.2 Interpretation and Governing Law.  This Agreement shall operate as an addendum to the Underlying Agreement(s).  This Agreement is entered into based upon the parties’ intent to comply with HIPAA and HITECH.  This Agreement should be construed in accordance with HIPAA, HITECH and the regulations promulgated thereunder, to the extent applicable.  In addition, this Agreement should be construed light of any interpretations and guidance regarding HIPAA/HITECH issued by the US Department of Health and Human Services from time to time.  To the extent that any portion of HIPAA and/or HITECH is materially amended in a manner than changes the obligations of the parties under this Agreement, the parties agree to execute whatever amendments or additional documents may be necessary to effectuate such revised obligations.

10.3 Severability and Waiver.  If any provision of this Agreement cannot be enforced, the remaining portion of the Agreement will remain in effect and will be deemed to be modified to be valid and enforceable to the fullest extent permitted by law.  If either party waives any provision of this Agreement, that does not mean any other provision(s) are also waived or that the same provision is waived at any other time or for any other purpose.

10.4 Beneficiaries.  Business Associate and Client are the only beneficiaries to the consideration or other requirements and provisions of this Agreement.

10.5 Notice.  Whenever notice is required to be given under this Agreement such notice shall be given in the manner specified in the Underlying Agreement(s).