NexTrust Site Terms of Service

Effective June 5, 2020   

PLEASE CAREFULLY READ THESE TERMS OF USE, ALONG WITH THE PRIVACY POLICY, BEFORE USING THE ‘SITE” OR “SERVICES” (AS DEFINED BELOW).


ACCEPTANCE OF TERMS


Welcome to BillFlash.com, which is owned and operated by NexTrust, Inc. The services that NexTrust provides through this website or through integration with various third-party billing applications (collectively, “Services”) are intended for the sole use of NexTrust’s customers and its other authorized users (“you” or “yours”) and are subject to the following terms, including the NexTrust BillFlash Privacy Policy (“Privacy Policy”) and any future modifications (collectively, this “Agreement”).  By accessing or using the Services, you agree to the terms of this Agreement. 


If you ARE NOT A NEXTRUST CUSTOMER OR an otherwise AUTHORIZED USER, OR IF YOU do not agree to the terms of this Agreement, do not access or use the Site or Services in any way, and please exit now.  

NexTrust reserves the right to update the terms of this Agreement at any time without notice to you.  From time to time you should review the most current terms of this Agreement by clicking the Terms of Use and Privacy Policy links at the bottom of the website pages. As part of the Services, you will be provided with online access to NexTrust’s BillFlash.com site and you may be provided with access to other NexTrust hosted sites or software, including any updates or new versions thereto (collectively, “Site”). 


If you are currently a party to a separate NexTrust BillFlash Services Agreement (“Customer Agreement”), the terms of your Customer Agreement will prevail over any terms of this Agreement that are contrary to or inconsistent with the terms of your Customer Agreement. This Agreement, the Privacy Policy, and any Customer Agreement constitute the entire agreement between you and NexTrust with respect to the matters contained herein. 


USER REPRESENTATIONS


You represent and warrant to NexTrust that (1) you are over the age of eighteen (18) and have authority to enter into and perform the obligations under this Agreement; (2) any information you may submit to NexTrust is truthful, accurate and complete and that you will keep any such information updated; and (3) you will comply with all of the terms of this Agreement.


USER LICENSE


You will receive a nonexclusive, non-assignable, royalty-free license to access the Site and use the Services solely for your internal business operations subject to the terms of this Agreement. You acknowledge that this Agreement is a services agreement and that NexTrust will not be delivering copies of any software to you as part of the Services. NexTrust or its licensors retain all ownership and intellectual property rights to the Site and Services, and anything developed and delivered under this Agreement. NexTrust reserves the right, in its sole discretion, to terminate your license and access to the Site, or any portion thereof, at any time, for any reason or for no reason at all, without prior notice or any notice. 


ACCOUNT INFORMATION 


To create your user account wherein you may access and use the Services (“Account”), you must provide and maintain complete and accurate account information with NexTrust (“Account Information”). Account Information includes Account usernames and passwords as well as Account profile information. NexTrust will use that Account Information to establish and maintain your Account for you. Each Account will have one unrestricted user (“Administrator”) who may, as needed, create additional unrestricted or restricted Account users.  


ACCOUNT SECURITY 


You are responsible for maintaining the confidentiality of your Account’s usernames and passwords. You will not provide false identity information to gain access to or use the Services.  You are responsible for all user activities, including by your Administrator, that occur within your Account and that are associated with your Account’s usernames and passwords. You agree to notify NexTrust immediately of any unauthorized use of your Account or any other breach of security. NexTrust will not be liable for any loss that you may incur as a result of someone else using your usernames and passwords to access your Account, either with or without your knowledge; however, you may be held liable for losses incurred by NexTrust or another party due to someone else using your usernames and passwords to access your Account. You may not access or use anyone else's account at any time without the express permission of the respective account’s owner. 


SUBMITTED DATA


NexTrust claims no ownership of the data and information you upload, input, post, transmit, or submit to NexTrust in any form in connection with the Services (each a "Submission" or to “Submit” or to have been “Submitted”). You will not Submit any data, material, code, or other information that is: (i) Protected Health Information (aka “HIPAA PHI”) or payment card information that is unsecured, (ii) protected by copyright, privacy rights, or any other intellectual property right without first obtaining the permission of the owner of such rights, or (iii) obscene, defamatory, harassing, offensive or malicious. With each Submission you grant NexTrust, and where applicable, its affiliated companies and necessary supplier’s permission and license to use your Submission in connection with the Services provided to you. With each Submission you also warrant and represent that you own or otherwise control all of the rights to your Submission as described in this Agreement including, without limitation, all the rights necessary for NexTrust to use your Submitted information as necessary to provide the Services for you. 


INDEMNIFICATION


You agree to indemnify and hold harmless NexTrust, and its owners, officers, employees, and representatives, from and against any and all causes of action, liabilities, claims, costs, losses, damages, and expenses (including reasonable attorney’s fees), arising out of a breach of your representations, warranties or agreements hereunder, including your Submission obligations outlined in the Submitted Data section above. The indemnity obligations under this section shall survive expiration or termination of this Agreement.


USER Assistance


You will provide to NexTrust, in the manner specified by NexTrust, all of the billing and payment data, information, and assistance necessary for NexTrust to perform the Services. You acknowledge that NexTrust’s ability to deliver the Services in the manner provided in this Agreement depends upon the accuracy and timeliness of such data, information, and assistance.


PROHIBITED USE


As a condition of your use of the Services, you may not use the Services in any manner that could damage, disable, overburden, or impair any NexTrust server, or the network(s) connected to any NexTrust server, or interfere with any other party's use and enjoyment of any Services. You may not attempt to gain unauthorized access to any Services, other users’ accounts, computer systems, or networks connected to any NexTrust server or to any of the Services, through hacking, password mining or any other means. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available through the Services. 


ADDITIONAL RESTRICTIONS


You further agree that you will not, and you will not permit others, to: (i) copy or republish the Site or Services, (ii) make the Services available to any person other than authorized users, (iii) modify or create derivative works based upon the Site or Services, (iv) remove, modify or obscure any copyright, trademark or other proprietary notices contained in the Site or Services, (v) reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Site or Services, or (vi) access the Site or Services in order to build a similar product or competitive product. Subject to the limited licenses granted herein, NexTrust will own all right, title and interest in and to the Site and Services and any other deliverables provided under this Agreement, including all modifications, improvements, upgrades, derivative works and feedback related thereto and intellectual property rights therein. You agree to assign all right, title and interest you may have in the foregoing to NexTrust.


Compliance with Laws


You will comply with all applicable local, state, national and foreign laws in connection with its use of the Services, including those laws related to data privacy, international communications, and the transmission of technical or personal data. You will not use the Services for any purpose that is unlawful or prohibited by the terms of this Agreement.


HEALTHCARE HIPAA BUSINESS ASSOCIATE AGREEMENT


In the event you require a Healthcare HIPAA Business Associate Agreement, NexTrust’s Healthcare HIPAA Business Associate Agreement, attached as Exhibit A, shall apply.


DISCLAIMERS; NO WARRANTY


THE SITE AND SERVICES ARE PROVIDED "AS-IS" AND "AS AVAILABLE" AND NEXTRUST DOES NOT GUARANTEE OR PROMISE ANY SPECIFIC RESULTS FROM USE OF OR CONTINUOUS AVAILABILITY OF THE SITE OR SERVICES. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NEXTRUST EXPRESSLY DISCLAIMS ANY WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, AND WARRANTIES IMPLIED FOR A COURSE OF PERFORMANCE OR COURSE OF DEALING. Some jurisdictions may not allow the exclusion of implied warranties, so some of the above exclusions may not apply to you.


Your accessing and using the Site and Services is at your own risk. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, NEXTRUST MAKES NO WARRANTY THAT YOUR USE OF THE SITE AND SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE, THAT DEFECTS TO THE SITE AND SERVICES WILL BE CORRECTED, THAT THE SITE AND SERVICES OR THE SERVERS ON WHICH THEY ARE AVAILABLE WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT ANY INFORMATION OBTAINED BY YOU ON, THROUGH OR IN CONNECTION WITH THE SITE AND SERVICES OR THIRD PARTY SERVICES WILL BE ACCURATE, RELIABLE, TIMELY OR COMPLETE. 


UNDER NO CIRCUMSTANCES WILL NEXTRUST BE RESPONSIBLE FOR ANY LOSS OR DAMAGE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA, PROPERTY DAMAGE, PERSONAL INJURY OR DEATH) RESULTING FROM USE OF THE SITE OR SERVICES, PROBLEMS OR TECHNICAL MALFUNCTION IN CONNECTION WITH USE OF THE SITE OR SERVICES, ANY MATERIAL OBTAINED IN CONNECTION WITH THE SITE OR SERVICES, ANY SUBMISSION, ANY THIRD PARTY SERVICE IN CONNECTION WITH THE SITE OR SERVICES, OR THE CONDUCT OF ANY USERS OF THE SITE OR SERVICES. 


YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND SERVICES, AND ANY INFORMATION TRANSMITTED OR RECEIVED IN CONNECTION THEREWITH, MAY NOT BE SECURE AND MAY BE INTERCEPTED BY UNAUTHORIZED PARTIES. YOU ASSUME RESPONSIBILITY FOR THE ENTIRE COST OF ANY MAINTENANCE, REPAIR OR CORRECTION TO YOUR COMPUTER SYSTEM OR OTHER PROPERTY OR RECOVERY OR RECONSTRUCTION OF LOST DATA NECESSITATED BY YOUR USE OF THE NEXTRUST SITE AND SERVICES.


FOR YOUR CONVENIENCE, NEXTRUST’S WEBSITES MAY INLCUDE LINKS TO THIRD-PARTY WEBSITES THAT WILL LET YOU LEAVE A NEXTRUST WEBSITE. ANY SUCH LINKED THIRD-PARTY WEBSITE IS NOT OWNED, OPERATED, OR UNDER THE CONTROL OF NEXTRUST AND NEXTRUST IS NOT RESPONSIBLE FOR THE CONTENTS OF ANY LINKED THIRD-PARTY WEBSITE OR ANY LINK CONTAINED IN A LINKED THIRD-PARTY WEBSITE, OR ANY CHANGES OR UPDATES TO SUCH THIRD-PARTY WEBSITES. NEXTRUST IS NOT RESPONSIBLE FOR WEBCASTING OR ANY OTHER FORM OF TRANSMISSION RECEIVED FROM ANY LINKED THIRD-PARTY WEBSITE. THE INCLUSION OF ANY LINK TO SUCH THIRD-PARTY WEBSITE DOES NOT IMPLY ENDORSEMENT BY NEXTRUST OF THE WEBSITE.  IF YOU DECIDE TO ACCESS ANY OF THE THIRD-PARTY WEBSITES LINKED FROM THE SITE, YOU DO SO AT YOUR OWN RISK. SOME OF NEXTRUST’S third-party suppliers MAY HAVE the right to suspend or terminate the performance of their services TO NEXTRUST for contractual non-compliance by cmsdev.nextrust. YOU AGREE NOT TO LINK ANY OTHER WEBSITE TO ANY NEXTRUST WEBSITE WITHOUT THE PRIOR WRITTEN PERMISSION OF NEXTRUST.  


LIMITATION OF LIABILITY


TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL NEXTRUST AND/OR ITS SUPPLIERS BE RESPONSIBLE OR LIABLE FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING LOST REVENUES OR PROFITS, LOSS OF BUSINESS OR LOSS OF DATA REGARDLESS OF WHETHER IT WAS ADVISED, HAD REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF THE SITE OR SERVICES. YOU ACKNOWLEDGE AND AGREE THAT ANY DAMAGES YOU INCUR ARISING OUT OF NEXTRUST’S ACTS OR OMISSIONS OR YOUR USE OF THE SITE OR SERVICES ARE NOT IRREPARABLE AND ARE INSUFFICIENT TO ENTITLE YOU TO AN INJUNCTION OR OTHER EQUITABLE RELIEF RESTRICTING THE AVAILABILITY OF OR ANY PERSON'S ABILITY TO ACCESS ANY PORTION OF THE SITE OR SERVICES.


Copyright and Use of Materials 


The information and materials contained in the Site and Services are protected under worldwide copyright laws and treaty provisions. Contents of the Site and Services are owned by NexTrust or other third parties. You may download, copy, and distribute NexTrust documents and brochures for your organization’s noncommercial use only; however, you are NOT authorized to make any changes to the same.  Prior written permission must be obtained from NexTrust for any other use of the materials. You may NOT modify, copy, license, publish, distribute, transmit, upload, reuse, report, or use the content of the Site or Services for public or commercial purposes.


TRADEMARKS


NexTrust®, BillFlash®, and MyProviderLink® are registered trademarks of NexTrust, Inc. NexTrust may own other trademarks and/or trade names that are not included here. The absence of a product or service name or logo from this list does not constitute a waiver of NexTrust’s trademark or other intellectual property rights concerning that name or logo. The names of third parties or their services used in connection with the Site or Services may be the trademarks of their respective owners. 


PROTECTING YOUR DATA


Protecting your data and privacy is important to NexTrust.  In performing the Services, NexTrust will comply with its Privacy Policy, which is available at the Site


NO ASSIGNMENT


You may not assign this Agreement or any right under this Agreement without the written consent of NexTrust. Any assignment in violation of this provision will be void.


Force Majeure


NexTrust will be excused from performance under this Agreement for any period during which, and to the extent that NexTrust or any subcontractor is prevented from performing any obligation or Service, in whole or in part, as a result of causes beyond its reasonable control, and without its fault or negligence, including without limitation, acts of God, strikes, lockouts, riots, acts of terrorism or war, epidemics, communication line failures, and power failures.


Severability


Any portion or provision of this Agreement that is held to be invalid, illegal or unenforceable shall be ineffective to the extent of such invalidity, illegality or unenforceability, without affecting in any way the remaining portions or provisions hereof.


APPLICABLE LAW


The Site and Services are owned and operated by NexTrust, Inc. from its offices within the state of Utah in the United States of America.  NexTrust makes no representation that materials or services on the Site and Services are appropriate or available for use in other locations.  Those who choose to access the Site and Services from other locations do so on their own initiative and are responsible for compliance with applicable local laws.   You and NexTrust agree that sole and exclusive jurisdiction for any action or proceeding arising out of or related to this Agreement will be in state or federal court located in Salt Lake City, Utah.


Any rights not expressly granted herein are reserved. 


Please direct your questions to the appropriate contact(s) as listed on the Site. 


I HAVE READ THIS AGREEMENT AND AGREE TO ALL OF THE PROVISIONS CONTAINED ABOVE.         


 


Exhibit A – Healthcare HIPAA Business Associate Agreement

This HEALTHCARE HIPAA BUSINESS ASSOCIATE AGREEMENT ("BAA") is made part of and incorporated into the Agreement by and between the Parties to which this BAA is appended.    Notwithstanding the foregoing, in the event the Agreement DOES NOT INVOLVE OR REQUIRE the exchange or sharing of health information which is subject to HIPAA (as defined below), this BAA WILL NOT APPLY AND HAS NO LEGAL FORCE or effect on the Parties.     

A.    DEFINITIONS

“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, Security Rule, or HITECH Act, as described in 45 CFR § 164.402.

“Business Associate”, as is contemplated and described in 45 CFR § 160.103, means a person or entity who is a Party to the Agreement who receives and uses PHI from a Covered Entity or a Business Associate, as the case may be.

Covered Entity” means a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form, as defined in 45 CFR § 160.103.

Data Aggregation Services” means the combining of PHI by Business Associate for purposes of analysis of the same.

“Designated Record Set”, as described by 45 CFR § 164.501, means a group of records maintained by or for a Covered Entity that is comprised of medical records and billing records about an individual maintained by or for a Covered Entity; enrollment information or medical record management systems maintained by or for a health plan; or, used in whole or in part, by or for the Covered Entity to make decisions about individuals.

EPHI” means electronic protected health information as defined in 45 CFR § 160.103.

HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended. 

HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009; in particular, and for purposes of this BAA, HITECH Act means Subtitle D of the act, which addresses the privacy and security concerns associated with the electronic transmission of health information.  

PHI” means protected health information, as defined in 45 CFR § 160.103.

Privacy Rule” means the provisions contained in 45 CFR Part 160 and Subparts A and E of Part 164.  

Secretary” means the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been designated.

Security Rule” means the provisions contained in 45 CFR Part 160 and Subparts A and C of Part 164.

“Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary.

Except as otherwise defined herein, capitalized terms have the same meaning as those terms are used in HIPAA, the Privacy Rule, Security Rule, and HITECH Act.

B.    PERMITTED USES AND DISCLOSURES OF PHI

  1. Use and Disclosures of PHI.  Except as otherwise limited in this BAA, the Party to whom PHI is disclosed pursuant to this BAA, is authorized to access, generate, use or disclose PHI as necessary and appropriate to perform functions, activities or services for, on behalf of the disclosing Party, as specified in the Agreement, provided that such use or disclosure would not violate the HIPAA Rules or the HITECH Act. The Parties may not use or disclose PHI in a manner that would violate subpart E of 45 CFR Part 164 if done by a Covered Entity.
  2. Permitted Uses of PHI.  Except as otherwise limited by this BAA, the Party to whom PHI is disclosed pursuant to this BAA may use the subject PHI for the proper management and administration of such Party, and to carry out the legal responsibilities of such Party.  
  3. Permitted Disclosures of PHI.  Except as otherwise limited in this BAA, the Party to whom PHI is disclosed pursuant to this BAA, may disclose PHI for the proper management and administration of such Party, provided that such disclosures are Required by Law, or such Party obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it is disclosed (which purpose must be consistent with the limitations imposed on such Party pursuant to this BAA), and the person notifies such Party of any instances of which it is aware in which the confidentiality of the information has been breached.  The Party to whom the PHI was disclosed pursuant to this BAA may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).  
  4. Data Aggregation Services.   Except as otherwise limited in this BAA, the Party to whom PHI is disclosed pursuant to this BAA may use PHI to provide Data Aggregation Services, as permitted by 45 CFR § 164.504(e)(2)(i)(B).  

C.    OBLIGATIONS OF THE PARTY TO WHOM PHI IS DISCLOSED 

  1. Privacy of PHI.  The Party to whom PHI is disclosed pursuant to this BAA has or will establish and implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA.  The Party to whom PHI is disclosed pursuant to this BAA has or will establish and implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI created, received, maintained, and transmitted pursuant to this BAA.  
  2. Security of PHI.  The Party to whom PHI is disclosed pursuant to this BAA has or will develop, implement, maintain, and use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI, as required by the Security Rule The Party to whom PHI is disclosed pursuant to this BAA has or will comply with the provisions of subpart C of 45 CFR Part 164 relating to implementation of administrative, physical and technical safeguards with respect to EPHI in the same manner such provisions apply to the disclosing Party.  The Party to whom PHI is disclosed pursuant to this BAA has or will comply with any additional security requirements contained in the HIPAA Rules and HITECH Act that are applicable.
  3. Reporting of Improper Use or Disclosure, Security Incident or Breach.   The Party to whom PHI is disclosed pursuant to this BAA, will report to the disclosing Party any use or disclosure of PHI not provided for in this BAA of which it becomes aware.  The Party, to whom PHI is disclosed pursuant to this BAA, will report to the disclosing Party any Security Incident of which it becomes aware.  The Party to whom PHI is disclosed pursuant to this BAA will notify the disclosing Party of any Breach of Unsecured PHI no later than thirty (30) days after discovery of such Breach.  Such notification will include: (a) the identification of the individual whose Unsecured PHI has been, or is reasonably believed by the Party to whom the PHI was disclosed pursuant to this BAA to have been, accessed, acquired or disclosed during the Breach; and (b) any particulars regarding the Breach that the disclosing Party would need to include in its notification, as such particulars are identified in 42 USC §17932 and 45 § CFR 164.404.  
  4. Agents.  The Party to whom PHI is disclosed pursuant to this BAA will ensure that any agent or subcontractor to whom it provides PHI, agrees to the restrictions and conditions that are substantially similar to those that apply through this BAA to each of the Parties.  The Party to whom PHI is disclosed pursuant to this BAA will ensure that any agent, including a subcontractor, to whom it provides PHI agrees to implement reasonable and appropriate safeguards to protect such information.  
  5. Access to PHI.  The Parties do not intend that the Party to whom PHI is disclosed pursuant to this BAA maintain any PHI in a Designated Record Set.  To the extent the Party to whom PHI is disclosed pursuant to this BAA possesses PHI in a Designated Record Set, said Party agrees to make such information available to the disclosing Party pursuant to 42 USC § 17935(e)(1) and 45 CFR § 164.524, as applicable, within thirty (30) days of receipt of a written request from the disclosing Party; provided, however, the Party to whom PHI was disclosed pursuant to this BAA is not required to provide such access where the PHI contained in the Designated Record Set is duplicative of the PHI then possessed by disclosing Party.  If an individual makes a request for access pursuant to 45 CFR § 164.524 directly to the Party to whom PHI is disclosed pursuant to this BAA, or inquires about his or her right to access, said Party will direct the individual to the disclosing Party and notify the disclosing Party of such inquiry within thirty (30) days of receipt of such request. 
  6. Amendment of PHI.  The Parties do not intend the Party to whom PHI is disclosed pursuant to this BAA maintain any PHI in a Designated Record Set.  To the extent the Party to whom PHI is disclosed pursuant to this BAA possesses PHI in a Designated Record Set, said Party agrees to make such information available to the disclosing Party for amendment pursuant to 45 CFR § 164.526 within thirty (30) days of receipt of a written request from the disclosing Party.   If an individual submits a written request for amendment pursuant to 45 CFR § 164.526 directly to the Party to whom PHI is disclosed pursuant to this BAA, or inquires about his or her right to amendment, said Party will direct the individual to the disclosing Party and notify the disclosing Party of such inquiry within thirty (30) days of such request. 
  7. Documentation of Disclosures.  The Party to whom PHI is disclosed pursuant to this BAA will document disclosures of PHI and information related to such disclosures as would be required by the disclosing Party to respond to a request by and individual for an accounting of disclosures consistent with 45 CFR § 164.528 and 42 USC § 17935(c), as applicable.   The Party to whom PHI is disclosed pursuant to this BAA will document, at a minimum, the following information:   (a) the date of the disclosure; (b) the name and, if known, the address of the recipient of the PHI; (c) a brief description of the PHI disclosed; (d) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (e) any additional information required under the HITECH Act and any implementing regulations.  
  8. Accounting of Disclosures.  The Party to whom PHI is disclosed pursuant to this BAA will provide to the disclosing Party, within thirty (30) days of receipt of a written request from the disclosing Party, information collected in accordance with Paragraph 7 of Section C, above, to permit the disclosing Party to respond to a request by an individual for an accounting of disclosures of PHI consistent with 45 CFR § 164.528, and 42 USC § 17935(c), as applicable.  
  9. Governmental Access to Records.  The Party to whom PHI is disclosed pursuant to this BAA will make is internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by or on behalf of the disclosing Party available to the Secretary determining the Parties’ compliance with the Privacy and Security Rule.
  10. Mitigation.  To the extent practicable, the Party to whom PHI is disclosed pursuant to this BAA will cooperate with the disclosing Party’s efforts to mitigate a harmful effect that is known to the Party to whom PHI is disclosed pursuant to this BAA of a use or disclosure of PHI not provided for in this BAA.  
  11. Minimum Necessary.  The Party to whom PHI is disclosed pursuant to this BAA will request, use and disclose the minimum amount of PHI in accordance with the terms of this BAA, and as is necessary to accomplish the purposes of the Agreement.  
  12. Limitation on Marketing.  The Party to whom PHI is disclosed pursuant to this BAA may not use PHI it receives from the disclosing Party for marketing purposes unless it first obtains a written consent to do so from the disclosing Party, and any and all such marketing is made in accordance with 42 USC § 17936(a).  
  13. Sale of EPHI.  The Party to whom PHI is disclosed pursuant to this BAA will not sale PHI or EPHI obtained from the disclosing Party in accordance with 42 USC § 17935(d).  
  14. HITECH Act Applicability.  The Parties acknowledge that the enactment of the HITECH Act amended certain provisions of HIPAA that now directly regulate or will on future dates directly regulate the Parties and the use and disclosure of the PHI and EPHI which is the subject of this BAA.  To the extent not referenced or incorporated herein, requirements applicable to the Parties under the HITECH Act relative to the subject PHI and EPHI are hereby incorporated by this reference.  The Parties agree to comply with applicable requirements imposed under the HITECH Act, as of the effective date of each such requirement. 

D.    OBLIGATIONS OF DISCLOSING PARTY

  1. Notification of Changes Regarding Individual Permission.   Prior to providing PHI to the Party to whom PHI will be disclosed pursuant to this BAA, the disclosing Party will notify the non-disclosing Party with any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such change may affect the non-disclosing Party’s use or disclosure of PHI as provided for in this BAA.  The disclosing Party will provide such notice no later than thirty (30) days prior to the effective date of such change.  
  2. Notification of Restrictions to Use or Disclosure of PHI.  The disclosing Party will notify the Party to whom PHI will be disclosed pursuant to this BAA of any restriction to the use or disclosure of PHI that the disclosing Party has agreed to in accordance with 45 CFR § 164.522 or 42 USC § 17935(a), to the extent that such restriction may affect the use or disclosure of PHI as is contemplated in the Agreement.    The disclosing Party will provide such notice within thirty (30) days prior the effective date of such restriction.   If the Party to whom PHI is to be disclosed pursuant to this BAA reasonably believes such restriction materially affects its ability to perform its obligations under the Agreement, the Parties will mutually agree upon any reasonably necessary modification of the Parties’ obligations under the Agreement. 
  3. Permissible Requests by Disclosing Party.  The disclosing Party will not request the Party to whom it will disclose PHI to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule, or the HITECH Act if done by the disclosing Party, except as permitted pursuant to this BAA. 

E.    TERMINATION

                1.             Term and Termination.  The term of this BAA shall be effective as of the date of acceptance by both Parties and shall terminate when PHI provided by the disclosing Party, or created, received or stored by the non-disclosing Party on behalf of the disclosing Party, is destroyed or returned to the disclosing Party, or, if it is infeasible to return or destroy the PHI, protections are extended to such PHI in accordance with the termination provisions set forth herein. 

                2.             Termination for Cause.  If either Party knows of a pattern or activity or practice of the other Party that constitutes a material breach or violation of this BAA, then the non-breaching Party shall either: (a) provide an opportunity for the other party to cure the breach or end the violation and terminate this BAA if the other Party does not cure the breach or end the violation within  the time specified;  (b) immediately terminate this Addendum if the other Party has breached a material term of this BAA and cure is not possible; (c) immediately terminate this BAA if the other Party has breached a material term of this BAA whether or not cure is possible; or (d) if neither termination nor cure is feasible, the non-breaching Party shall report the violation to the Secretary.  Material breach shall include a Party’s improper use or disclosure of PHI and any changes or diminution of such Party’s reported security procedures or safeguards that render any or all of such Party’s safeguards unsatisfactory to the other Party.  If this BAA is terminated for cause by NexTrust, NexTrust shall have the right to terminate any and all other agreements that with Associate that require the disclosure, use, maintenance, or transmission of PHI, without penalty.  In the event of such termination, NexTrust shall not be liable for payment to Associate for any services performed by Associate after the effective date of termination.  

                3.             Effect of Termination.  Except has provided herein, upon termination of this BAA, for any reason, the Parties shall cease and desist all uses and disclosures of PHI disclosed, used, maintained, or transmitted pursuant to this BAA (or a prior HIPAA business associate contract between the Parties), and the Parties will immediately return or destroy (if the other Party gives permission to destroy to the other Party) in a reasonable manner consistent with the HIPAA Rules; provided, however, the Parties will cooperate to ensure that no original PHI records are destroyed.  This provision shall apply to PHI that is in the possession of subcontractors or Agents of each of the Parties.  Except as provided herein, the Parties shall certify to one another that all PHI has been returned or destroyed within 30 days after termination or expiration of this BAA.  In the event a Party determines that returning or destroying PHI is infeasible, such Party will provide the other Party with written notification of the conditions that make return or destruction infeasible.  Upon mutual agreement of the Parties that return or destruction is infeasible, the Party in possession of the PHI shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as such Party maintains such PHI.

F.     MISCELLANEOUS

1.             In the event the Parties are subject to a Business Associate Agreement or addendum, this BAA shall supersede and replace such prior agreement or addendum.  

2.             In the event of any inconsistency between the provisions of this BAA and the Agreement, the provisions of this BAA will control.  In the event of inconsistency between this BAA and mandatory provisions of the Privacy Rule, Security Act, or the HITECH Act, as amended, or their interpretation by any court or regulatory agency with authority over one or both of the Parties, such interpretation controls; provided, however, that if any relevant provision of the Privacy Rule, Security Rule, or the HITECH Act is amended to change the obligations one or both of the Parties as set forth in this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.  Where the provisions of this BAA are different than those mandated by the Privacy Rule, Security Rule, or HITECH Act, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA control.