Nava Benefits HQ platform terms of service for free trial.

This Nava Benefits HQ Platform Services Agreement (“Agreement”) governs your use, or the use by the company or entity on whose behalf you enter into this Agreement (“Client” or “you”), of the Services (as defined below) made available by Advocate, Inc. dba NAVA Benefits, having a principal place of business at 228 Park Ave S PMB 97880, New York, NY 10003 USA (“Nava” or “NAVA”).

This Agreement is effective, and you agree to be bound by this Agreement, as of the date you (a) first click a button or check a box titled “I agree”, “submit”, or something similar, or (b) use or access the Services, whichever is earlier (“Effective Date”). If you are an individual acting on behalf of an entity, you represent and warrant that you have the authority to enter into this Agreement on behalf of that entity and to legally bind that entity. If you do not accept the terms of this Agreement, then you are not permitted to, and you must not, access or otherwise use the Services.

I. Scope of Services‍

This section outlines the HQ Platform Services that Nava makes available to you. 

Objectives of the HQ Platform: 

HQ by Nava is an all-in-one benefits platform that gives every HR team the power of an AI-powered benefits specialist. It combines renewal strategy, 24/7 employee support, billing audits, document management, and real-time integrations with HRIS and carriers—into one unified system, backed by Nava’s expert service team.

1. Platform Access and Licensing

Nava will provide Client with access to the HQ by Nava benefits platform (the “Platform”), designed to centralize and simplify employee benefits administration. Platform access includes:

• A secure, cloud-based portal for Client’s HR and benefits teams;
• Configurable user permissions for HR roles;
• Ongoing system updates, feature enhancements, and technical support.

2. AI-Powered Support and Decision Guidance

The Platform includes AI-powered functionality (the “AI Functionality”) to support HR teams in making informed benefits decisions. Features include:

• Real-time renewal modeling
• Benefit plan design benchmarking
• Instant answers to benefits questions
• Centralized document storage
• Embedded enrollment audits 

Notwithstanding anything to the contrary, Client acknowledges and agrees that Nava may, in its sole discretion, update, modify or suspend the Services, in whole or in part, at any time during the Term, without prior notice to Client. Nava will have no liability to the Client for any such activity. 

II. Service Agreement

0. Definitions

“NAVA IP” means the Services, the underlying software provided in conjunction with the Services, algorithms, interfaces, technology, databases, tools, know-how, processes and methods used to provide or deliver the Services, all improvements, modifications or enhancements to, or derivative works of, the foregoing (regardless of inventorship or authorship), and all intellectual property rights in and to any of the foregoing.

“Client Materials” means (i) all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Client through the Services or to NAVA in connection with Client’s use of the Services and (ii) any queries or input uploaded or submitted to the AI Functionality component of the Platform (“Input”), but excluding, for clarity, any other information, data, data models, content or materials owned or controlled by NAVA and made available through or in connection with the Services. 

“Output” means automated responses or output generated by the AI Functionality of the Platform in response to Input.

“Services” means the Platform and the AI Functionality made available by NAVA to Client.

1. Client and Nava Responsibilities‍

A. Client responsibilities:

1. Client agrees to furnish information necessary for NAVA to execute the terms of this Agreement, including but not limited to:
   
   1. Ongoing administrative and reporting access to Client’s Benefits Administration system to access key reports (employee census information, plan information) required for the services outlined, and/or via Client’s authorization to the insurance carrier(s) granting Nava direct access to the relevant data.
   2. Access to relevant documentation from prior benefits packages (e.g., prior benefits guides).
2. Client commits to ensuring the transmission of accurate and updated employee and benefits enrollment information to NAVA for execution of the Services. Subject to this Section, NAVA acknowledges that, as between Client and NAVA, Client owns and retains all right, title and interest in and to all Client Materials. Client represents and warrants that (i) it has obtained and will obtain and continue to have, during the Term, all necessary rights, authority and licenses for the access to and use of the Client Materials (including any personal data provided or otherwise collected pursuant to Client’s privacy policy) as contemplated by this Agreement and (ii) NAVA’s use of the Client Materials in accordance with this Agreement will not violate any applicable laws or regulations or cause a breach of any agreement or obligations between Client and any third party. Client grants NAVA a non-exclusive, worldwide, royalty-free right and license to use, reproduce, display, perform and modify the Client Materials and Output for the purpose of operating and providing the Services and complying with applicable law. NAVA may develop or derive data or insights from Client Materials and Output on an aggregated, de-identified basis to optimize, improve and train its Services.
3. Client is ultimately responsible for the accuracy and completeness of data associated with these services, and is responsible for reviewing the output of the services outlined for accuracy from both Nava Benefits and relevant insurance carriers. 
4. Client will not at any time and will not permit any person to, directly or indirectly: (i) use the Services in any manner beyond the scope of rights expressly granted in this Agreement; (ii) modify or create derivative works of the Services, in whole or in part; (iii) reverse engineer, disassemble, decompile, decode or otherwise attempt to derive or gain improper access to any software component of the Services or any components, models, algorithms or systems used to provide the Services, in whole or in part, or engage in any of the adversarial attacks set forth in the NIST AI 100-2 E2023 publication available at https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2023.pdf; (iv) frame, mirror, sell, resell, rent or lease use of the Services to any other person, or otherwise allow any person to use the Services for any purpose other than for the benefit of Client in accordance with this Agreement; (v) use the Services, Output or documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law; (vi) interfere with, or disrupt the integrity or performance of, the Services, or any data or content contained therein or transmitted thereby; or (vii) access or search the Services (or download any data or content contained therein or transmitted thereby) through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers or any other similar data mining tools) other than software or Services features provided by Nava for use expressly for such purposes; (viii) use the Services, documentation or any other Nava confidential information to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Services; (ix) use the Services or any Output in a manner that violates the OpenAI Usage Policies located at https://openai.com/policies/usage-policies, or any other such third party usage policies as applicable; or (x) utilize the Services (including any AI models or derivatives thereof), documentation, Input or Output to train, improve or have trained or improved an AI model (e.g., engage in “model scraping”).
5. Certain features and functionalities within the Services may allow Client to interface or interact with, access and/or use compatible third-party services, products, technology and content (collectively, “Third-Party Services”) through the Services.  NAVA does not provide any aspect of the Third-Party Services and is not responsible for any compatibility issues, errors or bugs in the Services or Third-Party Services caused in whole or in part by the Third-Party Services or any update or upgrade thereto.  Client is solely responsible for maintaining its relationship with the applicable Third-Party Services and obtaining any associated licenses and consents necessary for Client to use the Third-Party Services in connection with the Services.
6. Nava is not responsible for, and shall have no liability to Client for errors associated with inaccurate information received in the placement of coverage, or for errors made by insurance carriers / vendor partners or other third-parties in the execution of this Agreement.
7. Client agrees that for the Term and for a period of one (1) year following any termination or expiration of this Agreement, Client will not directly or indirectly solicit or employ any employee of NAVA, nor will Client encourage or assist others to do so; provided that the foregoing does not restrict Client from hiring an individual who responds to a general advertisement for employment.

2. Confidentiality

1. As used herein, “Confidential Information” means any information that one Party (the “Disclosing Party”) provides to the other Party (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure.  However, Confidential Information will not include any information or materials that: (i) were, at the date of disclosure, or have subsequently become, generally known or available to the public through no act or failure to act by the Receiving Party; (ii) were rightfully known by the Receiving Party prior to receiving such information or materials from the Disclosing Party; (iii) are rightfully acquired by the Receiving Party from a third party who has the right to disclose such information or materials without breach of any confidentiality or non-use obligation to the Disclosing Party; or (iv) are independently developed by or for the Receiving Party without use of or access to any Confidential Information of the Disclosing Party.
   
   The Receiving Party will maintain the Disclosing Party’s Confidential Information in strict confidence, and will not use the Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its rights under this Agreement. The Receiving Party will not disclose or cause to be disclosed any Confidential Information of the Disclosing Party, except (i) to those employees, representatives, or contractors of the Receiving Party who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by written agreements with use and nondisclosure restrictions at least as protective as those set forth in this Agreement, or (ii) as such disclosure may be required by the order or requirement of a court, administrative agency or other governmental body, subject to the Receiving Party providing to the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or otherwise contest the disclosure. 
   
   The terms and conditions of this Agreement will constitute Confidential Information of each Party but may be disclosed on a confidential basis to a Party’s advisors, attorneys, actual or bona fide potential acquirers, investors or other sources of funding (and their respective advisors and attorneys) for due diligence purposes. 
2. In connection with the provisions of the Services, the Parties hereby enter into the Business Associate Agreement appended as Appendix A below.

3. Termination and Removal

1. The term of this Agreement begins on the Effective Date and shall remain in effect for the earlier of (a) fourteen (14) days or (b) the date that Client executes a separate agreement with NAVA for the provision of the Services (the “Term”). 
2. NAVA may extend the Term or terminate this Agreement at any time in its sole discretion. Client may terminate this Agreement for convenience at any time by providing at least ten (10) days’ prior written notice to NAVA.
3. Upon expiration or termination of this Agreement:  
   
   If Client elects to procure a paid version of the Services (a “Paid Offering”), Client must enter into a separate agreement with Nava governing the provision of the Paid Offering. 
   
   If the Client elects not to obtain a Paid Offering, Client will return or destroy, at NAVA’s sole option, all NAVA Confidential Information in its possession or control, including permanent removal of such NAVA Confidential Information (consistent with customary industry practice for data destruction) from any storage devices or other hosting environments that are in Client’s possession or under Client’s control, and at NAVA’s request, certify in writing to NAVA that the NAVA Confidential Information has been returned, destroyed or, in the case of electronic communications, deleted.  
4. This Section 3 and all other sections which by their nature should survive will survive any termination or expiration of this Agreement.

4. Client Data and Intellectual Property

Nava Intellectual Property

Subject to the limited rights expressly granted hereunder, NAVA reserves and, as between the parties will solely own, the NAVA IP and all rights, title and interest in and to the NAVA IP.  No rights are granted to Client hereunder (whether by implication, estoppel, exhaustion or otherwise) other than as expressly set forth herein. 

From time to time Client or its employees, contractors, or representatives may provide Nava with suggestions, comments, feedback or the like with regard to the Services or Nava’s other products or services (collectively, “Feedback”).  Client hereby grants Nava a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with Nava’s business purposes, including, without limitation, the testing, development, maintenance and improvement of the Services.

5. Limitation of Liability and Indemnity

Disclaimers; Limitation of Liability

THE SERVICES AND OTHER NAVA IP ARE PROVIDED ON AN “AS IS” BASIS, AND NAVA MAKES NO WARRANTIES OR REPRESENTATIONS TO CLIENT OR TO ANY OTHER PARTY REGARDING THE NAVA IP, THE SERVICES OR ANY OTHER SERVICES OR MATERIALS PROVIDED HEREUNDER.  TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NAVA HEREBY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE.  WITHOUT LIMITING THE FOREGOING, NAVA  HEREBY DISCLAIMS ANY WARRANTY THAT USE OF THE SERVICES WILL BE ERROR-FREE, BUG-FREE OR UNINTERRUPTED. 

DUE TO THE NON-DETERMINISTIC NATURE OF LARGE LANGUAGE MODELS, OUTPUT MAY NOT BE UNIQUE AND THE SERVICES MAY GENERATE THE SAME OR SIMILAR OUTPUT FOR CLIENT, NAVA OR A THIRD PARTY. GIVEN THE PROBABILISTIC NATURE OF MACHINE LEARNING, THE SERVICES MAY IN SOME SITUATIONS PRODUCE OUTPUT THAT IS INACCURATE, INCORRECT, OFFENSIVE OR OTHERWISE UNDESIRABLE. THE ACCURACY, QUALITY AND COMPLIANCE WITH APPLICABLE LAW OF THE OUTPUT IS DEPENDENT UPON AND COMMENSURATE WITH THAT OF THE INPUT PROVIDED AND CLIENT’S COMPLIANCE WITH THIS AGREEMENT, AND NOTWITHSTANDING ANYTHING ELSE SET OUT HEREIN, NAVA WILL NOT HAVE ANY LIABILITY OR RESPONSIBILITY TO CLIENT OR ANY OTHER PERSON OR ENTITY FOR ANY LOSS OR DAMAGES RELATING TO OR ARISING FROM INPUT, THE OUTPUT OR THEIR USE. CLIENT WILL EVALUATE THE CONTENT, NATURE, TONE AND ACCURACY OF ANY OUTPUT AS APPROPRIATE FOR THE APPLICABLE USE CASE, INCLUDING BY USING HUMAN REVIEW OF THE OUTPUT.

NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, CLIENT UNDERSTANDS, ACKNOWLEDGES, AND AGREES THAT: (I) NOTHING HEREIN CONSTITUTES AN OFFER OR GUARANTEE OF HEALTH INSURANCE COVERAGE; (II) REQUIREMENTS FOR A SPECIFIC INSURANCE PLAN OR SERVICE ARE MADE SOLELY BY THE BENEFITS PROVIDER OF THAT INSURANCE PLAN OR SERVICE; (III)  NAVA BENEFITS DOES NOT GUARANTEE ANY BENEFITS PROVIDER’S INSURANCE PLAN OR SERVICE; AND (IV) NAVA BENEFITS IS NOT AND SHALL NOT BE LIABLE FOR ANY DAMAGES, COSTS, LIABILITIES, OR LOSSES OF ANY KIND ARISING OUT OF OR IN CONNECTION WITH CLIENT’S USE OF ANY BENEFITS PROVIDER’S INSURANCE PLAN.

NAVA IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL ADVICE. THE SERVICES AND ANY CONTENT, MATERIALS OR INFORMATION GENERATED, DISPLAYED OR OTHERWISE MADE AVAILABLE THROUGH THE SERVICES ARE NOT INTENDED TO, AND DO NOT CONSTITUTE LEGAL ADVICE OR LEGAL OPINIONS OF ANY KIND. THE SERVICES ARE NOT A SUBSTITUTE FOR THE ADVICE OF AN ATTORNEY. 

Exclusion of Damages.  NAVA WILL NOT BE LIABLE TO CLIENT FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF INCOME, DATA, PROFITS, REVENUE OR BUSINESS INTERRUPTION, OR THE COST OF COVER OR SUBSTITUTE SERVICES, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, NAVA’S INTELLECTUAL PROPERTY OR THE PROVISION OF THE SERVICES CONTEMPLATED UNDER THIS AGREEMENT, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

Total Liability.  IN NO EVENT WILL NAVA’S TOTAL LIABILITY TO CLIENT IN CONNECTION WITH THIS AGREEMENT, NAVA’S IP OR THE PROVISION OF THE SERVICES CONTEMPLATED UNDER THIS AGREEMENT EXCEED  FIVE HUNDRED DOLLARS ($500), REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED, AND WHETHER OR NOT NAVA WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE..

Basis of the Bargain.  THE PARTIES HEREBY ACKNOWLEDGE AND AGREE THAT THE LIMITATIONS OF LIABILITY IN THIS SECTION ARE AN ESSENTIAL PART OF THE BASIS OF THE BARGAIN BETWEEN NAVA AND CLIENT AND WILL APPLY EVEN IF THE REMEDIES AVAILABLE HEREUNDER ARE FOUND TO FAIL THEIR ESSENTIAL PURPOSE.

Client Indemnity

Client will indemnify, defend, and hold NAVA and its subsidiaries, controlled affiliates and shareholders harmless from any and all third party claims, suits, demands, actions, or settlements (“Claims”) and any losses, damages, liabilities, penalties or other costs (including reasonable attorneys fees and expenses) (“Costs”) arising from (i) infringement claims arising from (a) Client’s authorized and unmodified use of the Services (solely in the case of NAVA as indemnifying party) or (b) NAVA’s  authorized use of Client Materials (solely in the case of Client as indemnifying party); (ii) violation of applicable laws; and (iii) gross negligence or intentional misconduct.    

6. General.

Entire Agreement.  This Agreement, including its appendices and Service Plan, is the complete and exclusive agreement between the Parties with respect to its subject matter and supersedes any and all prior or contemporaneous agreements, communications and understandings, both written and oral, with respect to its subject matter.  This Agreement may be amended or modified by NAVA at any time in its discretion, subject to applicable law, and NAVA will communicate any such amendments or modifications to Client via the Services or another method and Client will have an opportunity to agree to the amendments or modifications. Subject to applicable law, in the event that Client does not agree with such amendments or modifications, Client may not use the Services anymore. 

Waiver.  NAVA’s failure to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision.  No waiver of any provision of this Agreement will be effective unless it is in writing and signed by NAVA.

Severability.  If any provision of this Agreement is held invalid, illegal or unenforceable, that provision will be enforced to the maximum extent permitted by law, given the fundamental intentions of the Parties, and the remaining provisions of this Agreement will remain in full force and effect. 

Governing Law; Jurisdiction.  This Agreement will be governed by and construed in accordance with the laws of the State of New York without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction.  The Parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply.  Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in New York and the Parties irrevocably consent to the personal jurisdiction and venue therein.

Assignment.  Client may not assign or transfer this Agreement, by operation of law or otherwise, without NAVA’s prior written consent.  Any attempt to assign or transfer this Agreement without such consent will be void.  NAVA may freely transfer or assign this Agreement. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the Parties and their respective successors and permitted assigns.

Force Majeure.  NAVA will not be responsible for any failure or delay in the performance of its obligations under this Agreement (except for any payment obligations) due to causes beyond its reasonable control, which may include, without limitation, labor disputes, strikes, lockouts, shortages of or inability to obtain energy, raw materials or supplies, denial of service or other malicious attacks, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God.

Relationship of the Parties.  The relationship between the Parties is that of independent contractors.  Nothing in this Agreement will be construed to establish any partnership, joint venture or agency relationship between the Parties.  Neither Party will have the power or authority to bind the other or incur any obligations on the other’s behalf without the other Party’s prior written consent.

Notices. NAVA may provide notices to you by providing electronic notification via the Services, or by email to the address associated with your account. You may provide notices to NAVA via email at legal@navabenefits.com. All notices are effective upon posting or when delivered.

Appendix A: Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (this “Agreement”) is effective as of Effective Date among the “health plans” (as defined in 45 C.F.R. § 160.103) sponsored by Plan Sponsor (defined below) that are “covered entities” (as defined in 45 C.F.R. § 160.103) (for example, certain health plans, dental plans, vision plans, and health flexible spending arrangements) (“Covered Entity”), Client (“Plan Sponsor”), and Advocate, Inc. d/b/a Nava Benefits (“Business Associate”).

RECITALS

WHEREAS, Covered Entity and/or Plan Sponsor have entered into or may enter into an agreement with Business Associate (the “Services Agreement”) whereby Business Associate has agreed to provide certain services for or on behalf of Covered Entity and its user employees/dependents (“End Users”) of Business Associate’s products, applications and services (collectively, “BA Applications”).

WHEREAS, the parties anticipate that they will need or want to disclose certain PHI (defined below) to each other and to third parties pursuant to this Agreement and the Services Agreement.

WHEREAS, the parties intend to comply with Applicable Law (defined below) to protect the privacy of PHI disclosed to the other pursuant to this Agreement and to the Services Agreement and to provide for the security of such PHI.

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement and the Services Agreement, the parties agree as follows:

I. DEFINITIONS‍

A. In General. Terms used, but not otherwise defined, in this Agreement shall have the same meanings as those terms in Applicable Law.

B. Specific Definitions.

1. “Applicable Law” shall mean any of the following items, including any amendments to any such item as such may become effective:
   
   1. The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”);
   2. The Health Information Technology for Economic and Clinical Health Act and its implementing regulations (“HITECH”);
   3. The federal regulations regarding privacy, promulgated under HIPAA and/or HITECH and found at Title 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”);
   4. The federal regulations regarding electronic data interchange, promulgated under HIPAA and/or HITECH and found at Title 45 C.F.R. Parts 160 and 162 (the “Transaction Rule”);
   5. The federal regulations regarding security, promulgated under HIPAA and/or HITECH and found at Title 45 C.F.R. Parts 160 and 164 (the “Security Rule”);
   6. The federal regulations regarding breach notification, promulgated under HIPAA and/or HITECH and found at Title 45 C.F.R. Part 164 (the “Breach Notification Rule”).
2. “Data Aggregation” shall have the meaning assigned to such a term in 45 CFR § 164.501, and includes, but is not limited to, combining PHI created or received by Business Associate from covered entities to whom Business Associate is a Business Associate to permit data analysis services for Covered Entity as set forth in the Underlying Agreement or an applicable statement of work or other written agreement and that is consistent with this Agreement. 
3. “ePHI” means electronic protected health information within the meaning of 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
4. “HIPAA Breach” means a “breach” of “unsecured protected health information,” as those terms are defined in 45 C.F.R. § 164.402, except that “unsecured protected health information” shall be limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
5. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
6. “Unsuccessful Security Incidents” shall mean Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of information or interference with system operation in an Information System in which PHI is stored or maintained, including, but not limited to:  (i) “pings” and other broadcast attacks on an information system firewall; (ii) port scans; (iii) attempts to log on to an information system or enter a database with an invalid password or user name; or (iv) denial-of-service attacks that do not result in a server being taken offline, or any combination of the aforementioned, that does not result in unauthorized access, use, disclosure, modification, or destruction of Covered Entity’s ePHI.

II. RIGHTS AND OBLIGATIONS OF COVERED ENTITY

A. Privacy Practices and Restrictions.

1. Covered Entity shall notify Business Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 C.F.R. §164.520, and its policies regarding the “minimum necessary” requirements in 45 C.F.R. §164.502(b) to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information, and to notify Business Associate of any material changes thereof.
2. Covered Entity shall promptly, but no later than five (5) business days, notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an End User to use or disclose PHI if such changes affect Business Associate’s permitted or required uses and disclosures.
3. Covered Entity warrants and represents that (i) it is entitled to receive PHI in accordance with 45 C.F.R. § 164.504(f); (ii) it has received a certification from Plan Sponsor in accordance with 45 C.F.R. § 164.504(f)(2)(ii); and (iii) the plan documents of Covered Entity permit the Plan to receive PHI, including detailed invoices, reports, and statements from Business Associate.

B. Permissible Requests by Covered Entity.

1. ‍‍In performing its obligations and exercising its rights under this Agreement, Covered Entity shall use and disclose PHI in compliance with Applicable Law. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
2. If Covered Entity requests PHI from Business Associate, Covered Entity will limit its request to the minimum necessary PHI required to fulfill the purpose of Covered Entity’s use or further disclosure of such PHI.

III. RIGHTS AND OBLIGATIONS OF BUSINESS ASSOCIATE

A. Uses and Disclosures by Business Associate. Except as otherwise limited in this Agreement or by Applicable Law, Business Associate may:

1. Use or disclose PHI to perform functions, activities, or services for or on behalf of Covered Entity, as specified in the Services Agreement between the parties and in this Agreement, provided that such use or disclosure is consistent with Covered Entity’s Notice of Privacy Practices as provided by Covered Entity to Business Associate on an annual basis and upon material changes, and provided that such use or disclosure would not violate HIPAA or the Privacy Rule if done by Covered Entity.
2. Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3. Disclose PHI for the proper management and administration of Business Associate, provided that (i) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, or (ii) the disclosures are Required By Law.
4. Use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
5. Create de-identified information from PHI received or created by Business Associate under this Agreement in accordance with the Privacy Rule. The parties acknowledge and agree that de-identified data does not constitute PHI.
6. Upon Covered Entity’s written direction, use the PHI to create a Limited Data Set (“LDS”) and use or disclose the LDS for the health care operations of Covered Entity as provided in the Privacy Rule.
7. Use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
8. Use PHI to the extent and for any purpose authorized by an End User under 45 C.F.R. § 164.508.

B. General Obligations of Business Associate.

1. ‍Subcontractors and Agents. Business Associate shall ensure that any subcontractor to whom it provides PHI contractually agrees to the similar restrictions and conditions that apply to Business Associate with respect to such PHI.  If Business Associate becomes aware of a pattern of activity or practice of a subcontractor constituting a material violation of the subcontractor’s obligations under the written agreement described in this Section 1, Business Associate agrees to take reasonable steps to cure or end the violation, and if such steps are unsuccessful, to terminate the agreement with subcontractor, if feasible.‍
2. Access to Books and Records by Secretary. Business Associate shall make its internal practices, books, and records relating to the use, disclosure, and security of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with HIPAA.‍
3. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of (a) a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, or (b) a Security Incident.‍
4. Compliance with Privacy Rule.
   
   1. Business Associate shall not use or further disclose PHI other than as permitted or required by HIPAA and this Agreement.
   2. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
   3. Business Associate shall report to Covered Entity any use or disclosure of PHI, known to Business Associate, that is not permitted by this Agreement.
   4. Business Associate shall comply with the Privacy Rule to the extent required by HITECH.
   5. Except as permitted under 45 CFR § 164.502(a)(5)(ii), Business Associate agrees it shall not directly or indirectly receive remuneration in exchange for PHI from or on behalf of the recipient of such PHI. 
   6. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, upon request, for purposes of determining and facilitating Covered Entity’s compliance with HIPAA.  
   7. Business Associate shall comply with all applicable requirements under HHS’ 2024 Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy including obtaining an attestation that PHI requested will not be used or disclosed for a prohibited purpose.
5. Compliance with Transaction Rule. To the extent that Business Associate, on behalf of Covered Entity or Plan Sponsor, conducts transactions that are subject to the Transaction Rule, Business Associate shall comply with the Transaction Rule.‍
6. Compliance with Security Rule.
   
   1. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.
   2. Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. Notwithstanding the foregoing, trivial and unsuccessful attempts to penetrate Business Associate’s networks, systems or BA Applications, such as scans, “pings” or similar strategies, need not be reported.
   3. Business Associate shall comply with the Security Rule to the extent required by HITECH.
7. Compliance with Breach Notification Rule. If Business Associate discovers that there has been a HIPAA Breach, Business Associate shall notify Covered Entity without unreasonable delay and in no event more than 30 calendar days following the discovery. To the event known, such notice shall include identification of each End User whose PHI Business Associate reasonably believes to have been accessed, acquired, or disclosed during such HIPAA Breach. As soon as possible thereafter, and to the extent known, Business Associate shall also provide Covered Entity with a description of (i) what happened, including the date of the HIPAA Breach and the date of the discovery, (ii) the types of unsecured PHI involved in the HIPAA Breach, (iii) any steps End Users should take to protect themselves from potential harm from the HIPAA Breach, and (iv) what Business Associate is doing to investigate the HIPAA Breach, to mitigate harm to End Users, and to protect against any further HIPAA Breaches. Business Associate’s fulfillment of the reporting obligations set forth in this Agreement may not be construed as an acknowledgement by Business Associate of any fault or liability with respect to any Use, Disclosure, Security Incident, or HIPAA Breach.  Notwithstanding the notification provisions above, the Parties acknowledge and agree that thisThis Agreement is effective, and you agree to be bound by this Agreement, as of the date you (a) first click a button or check a box titled “I agree“ or something similar, or (b) use or access the Services, whichever is earlier (“Effective Date”). If you are an individual acting on behalf of an entity, you represent and warrant that you have the authority to enter into this Agreement on behalf of that entity and to legally bind that entity. If you do not accept the terms of this Agreement, then you are not permitted to, and you must not, access or otherwise use the Services. constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.
8. Compliance with Confidentiality of Substance Use Disorder Patient Records Regulations. Business Associate acknowledges and agrees that its uses and disclosures of PHI relating to substance use disorder(s) shall comply with 42 CFR Part 2.

C. Obligations of Business Associate Regarding End User Rights.

1. ‍Restrictions on Disclosures. Upon request by an End User, Covered Entity shall determine whether an End User is entitled to a restriction on disclosure of his or her PHI pursuant to 45 C.F.R. § 164.522. If Covered Entity determines that an End User is entitled to such a restriction, Covered Entity will communicate the decision in writing to Business Associate. Business Associate will restrict its disclosures of the PHI in the same manner as would be required for Covered Entity. If Business Associate receives an End User’s request for restrictions, Business Associate shall forward such request to Covered Entity.‍
2. Access to PHI. Upon request by an End User, Covered Entity shall determine whether an End User is entitled to access his or her PHI pursuant to 45 C.F.R. § 164.524. If Covered Entity determines that an End User is entitled to such access, and that such PHI is under the control of Business Associate, Covered Entity will communicate the decision in writing to Business Associate. Business Associate shall provide access to the PHI in the same manner as would be required for Covered Entity. If Business Associate receives an End User’s request to access his or her PHI, Business Associate shall forward such request to Covered Entity.‍
3. Amendment of PHI. Upon request by an End User, Covered Entity shall determine whether any End User is entitled to amend his or her PHI pursuant to 45 C.F.R. § 164.526. If Covered Entity determines that an End User is entitled to such an amendment, and that such PHI is both in a designated record set and under the control of Business Associate, Covered Entity will communicate the decision in writing to Business Associate. Business Associate shall provide an opportunity to amend the PHI in the same manner as would be required for Covered Entity. If Business Associate receives an End User’s request to amend his or her PHI, Business Associate shall forward such request to Covered Entity.‍
4. Accounting of Disclosures. Upon request by an End User, Covered Entity shall determine whether any End User is entitled to an accounting pursuant to 45 C.F.R. § 164.528. If Covered Entity determines that an End User is entitled to an accounting, Covered Entity will communicate the decision in writing to Business Associate. Business Associate will provide information to Covered Entity that will enable Covered Entity to meet its accounting obligations. If Business Associate receives an End User’s request for an accounting, Business Associate shall forward such request to Covered Entity.

IV. TERM AND TERMINATION

A. Term. The term of this Agreement shall begin on the Effective Date and shall end upon the termination of the Services Agreement or upon termination for cause as set forth in the following paragraph, whichever is earlier.

B. Termination for Cause. Upon a party’s knowledge of a material breach by the other, the non-breaching party shall provide written notice to the breaching Party and may terminate this Agreement if the breaching party does not cure the breach or end the violation within 30 days of receipt of such notice.

B. Effect of Termination.

1. Except as provided in the following paragraph, upon termination of this Agreement for any reason, upon Covered Entity’s request, Business Associate shall return or destroy all PHI within its possession or control, and all PHI that is in the possession or control of Business Associate’s subcontractors or agents. Business Associate shall retain no copies of PHI.
2. If Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The parties agree that it would not be feasible for Business Associate to return or destroy the PHI reasonably needed to be retained by Business Associate for its own legal and risk management purposes, including copies of PHI that may be included in information retained for archival purposes.

V. MISCELLANEOUS

A. Electronic Health Record. Business Associate shall not maintain any “electronic health record” or “personal health record,” as those terms are defined under HITECH, for or on behalf of Covered Entity.

B. Regulatory References. A reference in this Agreement to a section in any Applicable Law means the section in effect or as amended, and for which compliance is required.

C. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for any party hereto to comply with the requirements of Applicable Law. All amendments to this Agreement, except those occurring by operation of law, shall be in writing and signed by both parties.

D. Interpretation; Integration. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with Applicable Law. This Agreement constitutes the full and complete agreement between the parties with respect to the subject matter hereof and supersedes any prior oral or written communication between the parties with respect to the subject matter hereof. No promises or other inducements or representations not set forth in this Agreement have been made by either party to the other in connection herewith. Each party has negotiated this Agreement in an arm’s length manner and with the advice of its own attorney(s).

E. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer upon any person, other than Covered Entity and Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

F. Effect on Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the underlying Services Agreement shall remain in force and effect.

G. Counterparts. This Agreement may be executed in counterparts, each of which may be deemed an original but together constitute one and the same instrument.

H. Governing Law. The provisions of this Agreement shall be construed and administered to, and its validity and enforceability determined, under Applicable Law. In the event that Applicable Law does not or other applicable federal laws do not preempt state law in a particular circumstance, the laws of the State of New York shall govern notwithstanding any conflicts of law or choice of law principles thereof. Venue and forum shall be proper only in a court of competent jurisdiction located in New York County, New York, and Covered Entity and Plan Sponsor hereby consent to the subject matter jurisdiction of and the personal jurisdiction in such courts.

I. Plan Sponsor Authority. Plan Sponsor warrants and represents that it is duly organized and existing under the laws of its state of its incorporation and that the person signing this Agreement on behalf of Plan Sponsor is fully authorized to do so and has authority to bind Plan Sponsor to contracts made on its behalf.

J. Covered Entity Authority. Plan Sponsor and Covered Entity warrant and represent that the person signing this Agreement on behalf of Covered Entity is fully authorized to do so and has authority to bind Covered Entity to contracts made on its behalf.

K. No Conflicts. Plan Sponsor and Covered Entity do not have any conflict of interest which would impact its and/or their ability to perform fairly its and/or their obligations under this Agreement. Plan Sponsor and Covered Entity are not subject to any restrictions, contractual or otherwise, which prevent or would prevent it and/or them from entering into this Agreement or carrying out its and/or their obligations hereunder.