Privacy Policy 1 — SymCheck

Privacy policy.

PRIVACY POLICY

Updated: December 30, 2021

Scope

Your privacy is as important to us as it is to you, so we take the subject of privacy very seriously. For this reason, CLX Health LLC (“SymCheck”, “we”, “us”, “our”) developed this Privacy Policy (“Privacy Policy”) that describes how we collect, use, disclose, transfer, and store your personal information you may provide to us by your use of our web site at www.symcheck.com (“Site” or “Services”) in accordance with our Terms of Use. It also describes the choices that may be available to you regarding our use of your personal information and how you can access and update this information.

This Privacy Policy covers only personal information that may be collected or requested through our Site, any downloadable application we may provide, or anytime you may be in contact with SymCheck or our affiliates. This Privacy Policy does not cover any other data collection or processing, including, without limitation, data collection practices of other web pages to which we link or data processing practices of users of our service.

Collection and Use of Personal Information

Personal Information (“PI”) is data that can be used to identify or contact a single person. Because SymCheck’s intent is to help its users reduce the transmission of viruses such as SARS-CoV-2, such PI may also include Personal (or Protected) Health Information (“PHI”) which is data that generally refers to demographic information, medical records, test, results and other data that a healthcare professional collects to identify an individual to determine appropriate care. Accordingly, certain data collected in the due course of completing a SymCheck personal certification may be deemed to contain PHI and we will treat such data as PHI in accordance with our Terms of Use and comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

SymCheck and its affiliates may share your PI with each other and use it consistent with this Privacy Policy and in accordance with our Terms of Use. We may also combine it with other information to provide and improve our products, Service, and content. You are not required to provide the PI that may be requested, but, if you choose not to do so, in many cases we will not be able to provide you with our Service or respond to any queries you may have.

Some examples of the types of PI we may collect include:

Contact Information such as name, email address, mailing address, phone number, contact preferences, IP address, location information, and device information
Billing Information such as credit card number, and billing address.
It is possible in connection with certain health care related services that we might obtain access to certain identifiable PHI. To the extent we obtain access to your PHI, we will maintain the confidentiality of the PHI in accordance with all applicable laws and our contractual obligations, although we do reserve the right to share such PHI with third parties for the purpose of complying with applicable pre-screening requirements or laws.

As is true of most web sites, we gather certain information automatically and store it in log files. This information includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We may combine this automatically collected log information with other information we collect about you. We do this to improve services we offer you.

Information Sharing

We will share your PI with third parties only in the ways that are described in this Privacy Policy and our Terms of Use. We do not sell your PI to third parties. We are not in the business of selling, renting or sharing your information with third parties for their marketing purposes and do not share your personally identifiable information with others, except as described below.

As required by law such as to comply with a subpoena, or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your health, safety or general wellbeing or the same of others, investigate fraud, respond to a government or health department request, for the performance of a contract or obligation to which you are party, or when we have assessed it is necessary for the purposes of the legitimate interests pursued by us or a third party to whom it may be necessary to disclose information. If you have questions about this legal basis you can contact the Data Protection Officer.
If SymCheck is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Site or in our Service of any change in ownership or uses of your PI, as well as any choices you may have regarding your PI.
To any other third party in accordance with our Terms of Use, with your prior consent as provided therein.
We also engage agents and service providers who have access to data, but only to process such data on our behalf and for our purposes under confidentiality or other legally binding agreements.
We reserve the right to use and disclose any information collected via the Site that is not in personally identifiable form, including information that has been aggregated with similar information from many other users so that it can no longer be used to specifically identify you.
We also may provide your PI to companies that provide services to help us with our business activities such as offering customer service or analyzing data to improve our Service to you. These companies are authorized to use your PI only as necessary and directed in accordance with this Privacy Policy to provide these services to us.
The PI you provide allows us to keep you posted on our latest Service announcements and other communications relevant to the operation of the Service, including other related projects or offers. If you don’t want to be on our mailing list, you can opt-out anytime by updating your preferences or by emailing support@symcheck.com.
We may use your PI, including your mobile phone number and name, to verify identity, assist with identification of users, and to determine appropriate services. For example, we may use your mobile number to notify you of a health-related issue.
From time to time, we may use your PI to send important notices, such as communications about changes to our Terms of Use, conditions, and policies. Because this information is important to your interaction with us, you may not opt out of receiving these communications.
We may also use personal information for internal purposes such as auditing, data analysis, and research to improve our Services, and customer communications.
SymCheck will share the information collected from you with the establishment or location that has requested your SymCheck, typically, your employer or place you intend to visit. Other establishments cannot use the SymCheck services to access information pertaining to you from other establishments, except that establishments with similar corporate ownership or management may elect to share such information.
If you have given permission to an establishment to communicate with you, the establishment may do so, subject to the establishment’s policies and procedures, including those relating to the storage and management of personal data.
Each establishment is a separate business from SymCheck. While SymCheck encourages establishments to comply with data protection requirements, SymCheck will not be responsible for an establishment’s failure to comply with laws applicable to the use of personal data, including PHI. Any complaints or inquiries regarding use of your information by an establishment, or marketing communications from an establishment, should be addressed directly to the establishment in question.
In no event will SymCheck be responsible for information, management, and use of data collected by establishments from their own websites and not stored on the SymCheck servers.
As a consequence of your relationship with the recipient of the PI or PHI, such as in the context of your employment or contractual relationship with the recipient or any Collector (as defined in our Terms of Use) of such personal information, subject in all instances to the recipient’s compliance with the terms of this Privacy Policy, you agree that there is good and valuable consideration to be derived from such relationship and/or as is necessary to support and justify SymCheck’s dissemination of your PI or PHI as a result thereof or in connection with the Services.
Notwithstanding anything to the contrary in this Policy, SymCheck may be required to disclose PI, including PHI, in response to inquiries by formal law enforcement, or in cases permitted by the United States’ CAN- SPAM Act of 2003 (CAN- SPAM), the European General Data Protection Regulation and its implementing laws, Japan's PI Protection Act, or other laws governing the use and disclosure of PI.

Collection and Use of Non-Personal Information

We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information (“NPI”) for any purpose. The following are some examples of NPI that we collect and how we may use it:

We may collect information such as language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where the Service is used so that we can better understand user behavior and improve our Service.
We may collect information regarding user activities on our Site and Service. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our Site and Services are most used. Aggregated data is considered NPI for the purposes of this Privacy Policy.
We may collect and store details of how you use our Service, including but not limited to search queries, scan data and QR code sharing. This information may be used to improve the efficacy of our Service. Except in limited instances to ensure quality and performance of our Service over the Internet, such information will not be associated with your IP address.
With your explicit consent, we may collect data about how you use our Service in order to help us improve your experience.

If we do combine NPI with PI, the combined information will be treated as personal information for as long as it remains combined.

Information Obtained from Third Parties

If you provide us PI about others, or if others give us your information, including your PHI, we will only use that information for the specific reason for which it was provided to us and we will take reasonable steps consistent with applicable laws and our contractual obligations to minimize our need to have access to your PI or PHI.

Protection of Personal Information

As we stated at the beginning of this Privacy Policy, we take the security of your PI and PHI very seriously and take reasonable steps to protect your PI, including your PHI, from loss, misuse, and unauthorized access, disclosure, alteration and destruction. We protect your personal information during transit using encryption such as Transport Layer Security (TLS). When your personal data is stored by us, it is also encrypted in both active and archival states in computer systems with limited access housed in facilities using physical security measures. Furthermore, all data is collected and used in strict compliance with local, state and federal laws, as well as, HIPAA, EEOC and CDC guidelines.

In addition, we require all third-party service providers, contractors or agents (individually a “Covered Entity”) who might receive access to PHI in the course of their contractual activities with SymCheck or the Service, to affirm their willingness to accept responsibility for the safety of your PHI and maintain appropriate safeguards. Each such Covered Entity, as well as all Collectors, as defined in our Terms of Use, confirm that by requesting access to any User Content, as defined in our Terms of Use, that is deemed PHI, you are agreeing to comply with and be bound by SymCheck’s Master Business Associate Agreement (“BAA”), which is attached hereto as Exhibit A. Without in any way limiting the foregoing, each Covered Entity and Collector agrees to comply with its obligations as a recipient of PHI to all applicable federal, state and local laws and requirements, including the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and as may be further modified or superseded from time to time,(collectively "HIPAA").

Notwithstanding, although we follow generally accepted industry standards to protect the PI/PHI submitted to us, both during transmission and once we receive it, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Site, you can contact us at support@symcheck.com. Remember, it is your responsibility to safeguard any password and User ID you use to access the Site and to notify us at support@symcheck.com if you ever suspect that your password or User ID has been compromised. You are solely responsible for any unauthorized use of the Site conducted using your password and User ID.

Tracking Technologies

SymCheck uses technologies such as cookies. Third party partners also use cookies and scripts. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We use cookies for authentication and to remember users’ settings and PI when you use our Services. Our goal in these cases is to make your experience with us more convenient, personal and secure. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use our Service for which it is intended may be limited or possibly unusable. These technologies help us better understand user behavior in interacting with our Service as well as augment the usability of the Service for our users. We treat information collected by cookies and other technologies as non‑personal information. However, to the extent that Internet Protocol (IP) addresses or similar identifiers are considered PI by local law, we also treat these identifiers as PI. Similarly, to the extent that NPI is combined with PI, we treat the combined information as PI for the purposes of this Privacy Policy.

We do not currently respond to “do not track” signals or other mechanisms that might enable users to opt out of tracking on our Site as we do not provide targeted advertising.

Analytics Services

In addition to the tracking technologies we place, other companies may set their own cookies or similar tools when you visit our Site. This includes third party analytics services, such as Google Analytics (“Analytics Services”), that we engage to help analyze how users use the Site, as well as third parties that deliver content or offers. We may receive reports based on these parties’ use of these tools on an individual or aggregate basis. We use the information we get from Analytics Services only to improve our Site and Services. The information generated by the Cookies or other technologies about your use of our Site and Services (the “Analytics Information”) is transmitted to the Analytics Services. The Analytics Services use Analytics Information to compile reports on user activity. The Analytics Services may also transfer information to third parties where required to do so by law, or where such third parties process Analytics Information on their behalf. Each Analytics Services’ ability to use and share Analytics Information is restricted by such Analytics Services’ Terms of Use and Privacy Policy. By using our Site and Services, you consent to the processing of data about you by Analytics Services in the manner and for the purposes set out above. For a full list of Analytics Services, please contact us at support@symcheck.com.

Mobile Services

We may also collect NPI from your mobile device. This information is generally used to help us deliver the most relevant experience to you. Examples of information that may be collected and used include your geographic location, how you use the Service, and information about the type of device you use. This information is collected and processed anonymously and is not unique to any individual. As such, it cannot be used to identify and of target a specific individual, however, in the aggregate, it can be used to enhance an individual user experience.

Data Retention

We will retain your information for as long as your account is active or as needed to provide relevant services. If you wish to cancel your account or request that we no longer use your individual, PI, including any PHI, please contact us at support@symcheck.com.We will retain and use your PI as necessary to comply with our legal and contractual obligations, resolve disputes, and enforce our agreements.

If you have a right to request, and if you request the same in accordance with SymCheck’s then applicable policies and procedures, SymCheck will make available to you, the data collected and still being retained by SymCheck. The transmission of such data, including any PHI, will be in such format and pursuant to such rules and regulations as SymCheck designates. Upon the transmission and delivery of any such data, SymCheck will no longer be responsible for retaining, protecting or securing the same, and by your request for such data, you accept full responsibility for the confidentiality and security of such data in accordance with all applicable requirements, including those pertaining to the maintenance of employee or third party medical records, if applicable.

Disclosure and Control of Personal Data

If you wish to have SymCheck disclose what personal data of yours it holds, and/or how SymCheck obtained such information, or to be informed of the purpose of use of personal data by SymCheck, please contact us at support@symcheck.com or by visiting your personal account settings at www.symcheck.com. SymCheck will process such request in compliance with all applicable privacy laws but may first confirm that such request has been made by you personally.

Children’s Privacy

The Site is intended for adults in the United States. We do not intentionally or knowingly collect personally identifiable information from children under the age of 13. To use the Service, you must be at least 13 years old and have not previously been removed or suspended from the Service for any reason.

If we learn that we have collected the personal information of a child under 13, or equivalent minimum age depending on jurisdiction, outside the above circumstances we will take steps to delete the information as soon as possible. If at any time a parent needs to access, correct, or delete data associated with their child’s account, they may contact us through one of the options provided at the bottom of this page.

Notwithstanding, upon request to support@symcheck.com, a parent or guardian of a child may request “direct notice” of our Privacy Policy practices in complicate with the Federal Trade Commission’s COPPA Rule which is part of Children’s Online Privacy Protection Act in order to obtain parental consent for a child under the age of 13 years to use the Service as intended.

In addition, schools that agree to set up and manage a SymCheck Managed Student account and have reviewed and consented to the Managed Student Disclosure may create Managed Student Account for students. The Managed Students Account Disclosure describes how SymCheck handles student information and supplements our Privacy Policy.

Terms of Use

Your use of our Site is governed by our Terms of Use, which contains disclaimers, limitations of liability, and jurisdiction, and other important terms and conditions.

Testimonials, Comments and Reviews

We may post customer testimonials, comments, reviews on our Site, which may contain PI. If we do, we will obtain the customer's consent by email prior to posting such testimonial, comment, review as part of Customer’s assent to the Terms of Use or otherwise. If you wish to update or delete your testimonial, you can contact us at support@symcheck.com.

Notification of Privacy Policy Changes

We may update this Privacy Policy at any time to reflect changes to our information practices. If we make any material changes, we will notify you by means of a notice on our Site prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. This Privacy Policy is effective as of the date first above written.

Companywide Commitment to your Privacy

To make sure your PI/PHI is secure, we communicate our privacy and security guidelines to SymCheck employees and strictly enforce privacy safeguards within the company.

Privacy Questions and Contact Information

If you have any questions or concerns about our Privacy Policy or information processing, you would like to contact our Data Protection Officer, or if you would like to make a complaint about a possible breach of local privacy laws, please contact us at the address below. If you send an email, please use “Privacy Inquiry” as the subject heading.

We will attempt to respond within seven (7), days wherever possible - providing a response on the issue raised, requesting additional information where necessary or indicating that a response will require additional time. You may at any time refer your complaint to the relevant regulator in your jurisdiction if you are unsatisfied with a reply received from us. If you ask us, we will endeavor to provide you with information about relevant complaint avenues which may be applicable to your circumstances.

Where your complaint indicates an improvement could be made in our handling of privacy issues, we will take steps to make such an update at the next reasonable opportunity. If a privacy issue has resulted in a negative impact on you or another person, we will take steps to address that with you or that other person.

We may update its Privacy Policy from time to time. When we change the policy in a material way, a notice will be posted on our Site along with the updated Privacy Policy. We may also contact you via your contact information on file, for example by email, notification or some other equivalent method.

CLX Health LLC
Attention: Data Protection Officer
200 Continental Drive, #401
Newark, DE 19713
Email: legal@symcheck.com

EXHIBIT A

MASTER BUSINESS ASSOCIATE AGREEMENT

Updated: December 30, 2021

By signing up and using the Services as described in the Terms of Use, this Master Business Associate Agreement ("Agreement") becomes effective on the date you first begin to use the Service as defined therein ("Effective Date"), between you (and, if any, your parent corporation, and affiliates and subsidiaries under common ownership or control, collectively called "Business Associate") and CLX Health LLC, 200 Continental Drive, #401, Newark, DE 19713 ("SymCheck").

WITNESSETH:

WHEREAS, SymCheck wishes to allow the Business Associate to have access to Protected Health Information (“PHI”) andincluding Electronic Protected Health Information (“EPHI”) referred to hereafter as PHI that is either provided to the Business Associate by SymCheck, or received, viewed, maintained, transmitted or created by the Business Associate on behalf of SymCheck in the course of performing Services to, for or on behalf of SymCheck;

WHEREAS, the Business Associate requires access to such PHI in order to effectively perform Services to, for or on behalf of SymCheck;

WHEREAS, SymCheck and Business Associate are subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and as may be further modified or superseded from time to time,(collectively "HIPAA"), and among other obligations under HIPAA are required to enter into agreements with respect to the use and disclosure and safeguarding of PHI; and

WHEREAS, the parties desire to enter into this Agreement in order to set forth the terms and conditions pursuant to which PHI will be handled by the Business Associate and certain third parties, as applicable, during the duration of this Agreement and upon its termination, cancellation, expiration or other conclusion.

NOW, THEREFORE, in consideration of the mutual promises and covenants set forth herein, and for good and valuable consideration receipt of which is hereby acknowledged, the parties hereby agree as follows:

1. DEFINITIONS

1.1 General. Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings set forth in under the HIPAA Rules, including but not limited to 45 C.F.R. §§160.103, 164.103, 164.304, 164.401 and 164.501, as currently drafted and as subsequently updated, or revised.

1.2 Business Associate. "Business Associate" shall have the meaning set forth in 45 C.F.R. §160.103, as interpreted by HHS. For purposes of this agreement a BA shall include, but not be limited to a Data Transmission Organization.

1.3 Breach Notification Rule. “Breach Notification Rule” shall mean the Standards governing Breach Notification for Unsecured Protected Health Information at 45 C.F.R. Part 160 and 164.

1.4 Data Transmission Organization. “Data Transmission Organization” shall mean an entity that provides data transfer services for or on behalf of SymCheck and requires access on a routine basis to PHI. Examples of Data Transmission Organizations include but are not limited to a health information exchange/organization (“HIE”) vendor that manages the exchange of PHI through a network and provides record locator services and/or various oversight and governance functions for the HIE; a data storage company or other entity that creates, receives, maintains stores or transmits data on behalf of SymCheck, such as a cloud storage provider; or an entity identified by HHS in guidance or otherwise as a Data Transmission Organization. A Data Transmission Organization does not include an entity that provides data conduit services or behalf of SymCheck and accesses data only on a random, occasional basis. SymCheck shall determine whether a vendor is a Data Transmission Organization for purposes of this Agreement.

1.5 HIPAA Rules. “HIPAA Rules” shall mean the Standard Transactions, Privacy, Security, Breach Notification and Enforcement Rules at 45 C.F.R. Parts 160, 162 and 164 including any interpretation of HIPAA Rules by HHS.

1.6 Information Security Officer. “Information Security Officer” shall mean the person designated by SymCheck to fulfill the functions of the security official set forth in 45 C.F.R. §164.308(a)(2).

1.7 Privacy Officer. "Privacy Officer" shall mean the person designated by SymCheck to fulfill the functions of the privacy official set forth in 45 C.F.R. §164.530(a)(1).

1.8 Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164.

1.9 Security Rule. "Security Rule" shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164.

1.10 Services; Services Contracts. “Services” means certain services provided or to be provided by Business Associate to, for or on behalf of SymCheck under existing or future contracts (“Services Contracts”) that require the use and/or disclosure of PHI.

2. PERMITTED USES AND DISCLOSURES OF PHI BY THE BUSINESS ASSOCIATE

2.1 Use & Disclosure to Provide the Services to SymCheck. The Business Associate does or will provide the Services to, for, or on behalf of SymCheck pursuant to Services Contracts. Except as otherwise expressly provided herein, the Business Associate may use or disclose PHI under any Services Contracts only as necessary to comply with applicable state and federal laws and to satisfy its obligations under such agreements as long as such use or disclosure of PHI would not violate HIPAA if done by SymCheck, except as set forth in Section 2.2 herein. All other uses or disclosures of the PHI not expressly authorized herein are strictly prohibited.

2.2 Use & Disclosure for Management and Administration Purposes. In addition to the uses and disclosures described above, the Business Associate may use PHI for management and administration purposes and to satisfy any present or future legal responsibilities of the Business Associate provided that such uses are permitted under applicable state and federal laws;

3. RESPONSIBILITIES OF THE BUSINESS ASSOCIATE WITH RESPECT TO PHI

3.1 The Business Associate's Responsibilities. With respect to any use and/or disclosure of PHI, the Business Associate hereby agrees that it shall:

a) use and/or disclose PHI only as permitted or required by this Agreement, as required by the HIPAA Rules or as otherwise Required by Law.

b) implement comprehensive procedures for mitigating any harmful effects from any unauthorized use and/or disclosure of PHI by the Business Associate, its agents or subcontractors.

c) report to SymCheck 's Chief Technology Officer, in writing, any use and/or disclosure of PHI that is not authorized hereunder, including but not limited to a violation of the HIPAA Rules, a Security Incident or a Breach, of which the Business Associate becomes aware immediately, but no later than one (1) day of the Business Associate's discovery of such incident. The Business Associate's report of such incident shall specify at least, (i) the nature of the incident; (ii) the specific PHI that was involved including the PHI data elements and number of individuals whose data was involved; (iii) the party responsible for making the unauthorized access, use, disclosure, modification or destruction of PHI; (iv) what, if any actions the Business Associate has taken or will take to limit the extent of the incident, and to mitigate the damage resulting therefrom; (v) what, if any corrective actions the Business Associate has or will take to prevent further incidents; (vi) when such corrective measures will be taken (if they have not already been completed), and, as applicable, an explanation of why they have not already been completed; and (vii) provide SymCheck with any other information SymCheck reasonably requests. The Business Associate understands that the reporting obligation applies with respect to any unauthorized use and/or disclosure of PHI, Breach, or Security Incident by a subcontractor or agent of the Business Associate that creates, receives, maintains, uses, accesses, discloses, transmits or destroys PHI to perform a service for or on behalf of Business Associate.

d) develop, implement, maintain and utilize appropriate administrative, technical and physical safeguards, in compliance with the Standards for Information Transactions and Data Elements, Social Security Act § 1173(d) (42 U.S.C. § 1320d-2(d); the HIPAA Rules, and any other regulations now in effect or later issued by HHS that implement HIPAA or any other privacy or security law applicable to PHI, to preserve the integrity, availability, and confidentiality of, and to prevent unauthorized use and/or disclosure of PHI, which Business Associate creates, receives, maintains, transmits, or disposes of on behalf of SymCheck.

e) require any of its subcontractors and/or agents that receive, use or have any access to PHI as authorized by this Agreement (which subcontractors and/or agents also meet the definition of Business Associates under HIPAA), to enter into a written agreement with the Business Associate, in which agreement shall contain provisions substantially similar to this Agreement, to comply with the same obligations and restrictions as are required of the Business Associate hereunder.

f) provide the Secretary of HHS with access to all records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI for compliance investigations.

g) upon receipt of a written request, provide SymCheck with access to all records, books, agreements, policies and procedures, and system and programs for the purpose of enabling SymCheck to investigate or audit the Business Associate's compliance with the terms of this Agreement. Such access shall be at the Business Associate's place of business during routine operating hours. Business Associate acknowledges that SymCheck has the right, but not the obligation, to access and audit Business Associate's security systems and programs.

h) subject to Section 7.4 below, within thirty (30) days of the termination of this Agreement, return to SymCheck or destroy all PHI in its possession. The Business Associate shall not retain any copies of such information in any form.

i) disclose to its subcontractors, agents and any other third parties, and request receipt from SymCheck, only the minimum PHI necessary to conduct or fulfill a specific function authorized hereunder in accordance with the HIPAA Rules.

j) if an authorized use and/or disclosure of PHI constitutes a Breach, implement a program to respond to the Breach in compliance with the Breach Notification Rule as may be determined and/or directed by SymCheck.

k) advise and contact the SymCheck Information Security Officer in advance of execution of this agreement and throughout the course of this agreement whether SymCheck PHI will be transmitted, disclosed or maintained by the Business Associate or any person/entity engaged by the Business Associate in either of the following:

(i) in a location outside of the United States; or
(ii) by a person outside the United States.

l) at the request of, and in the time and manner designated by SymCheck, provide access to any PHI contained in a Designated Record Set to SymCheck or to the individual who is the subject of such PHI or his or her authorized representative, as applicable, in order to satisfy a request for inspection and/or copying under 45 C.F.R. § 164.524.

m) at the request of, and in the time and manner designated by SymCheck, make any amendment(s) that SymCheck so directs, or permit SymCheck access to amend, any portion of the PHI pursuant to 45 C.F.R. § 164.526 in order to allow SymCheck to comply with the Privacy Rule.

n) at the request of, and in the time and manner designated by SymCheck, comply with any restrictions that SymCheck has agreed to adhere to pursuant to 45 C.F.R. §164.522 with regard to the use and disclosure of PHI of any individual that materially affects and/or limits the uses and disclosures that are otherwise permitted.

o) record each disclosure that the Business Associate makes of PHI in order for SymCheck to respond to an individual's request for an accounting in accordance with 45 C.F.R. §164.528. Said disclosure information must be kept by the Business Associate for a period of six (6) years from the date of disclosure.

p) within five (5) days of receipt of a written request from SymCheck, provide SymCheck with such information as is requested to permit SymCheck to respond to a request by an individual for an accounting of disclosures of all PHI related to the individual.

4. RESPONSIBILITIES OF SYMCHECK WITH RESPECT TO PHI

SymCheck hereby undertakes to do the following to the extent material to the PHI held by the Business Associate:

a) post a link to SymCheck's current Privacy Policy that SymCheck provides to individuals pursuant to 45 C.F.R. §164.520.

b) inform the Business Associate of any changes in, or withdrawal of, any relevant authorization provided to SymCheck by individuals pursuant to 45 C.F.R. §164.508, that impacts the Business Associate under this Agreement.

c) notify the Business Associate, in writing of any arrangements permitted or required under 45 C.F.R. parts 160 and 164 that impact the use and/or disclosure of PHI by the Business Associate under this Agreement, including, but not limited to, restrictions on use and/or disclosure of PHI as provided for in 45 C.F.R. §164.522 agreed to by SymCheck.

d) notify the Business Associate, in writing, of any PHI that SymCheck seeks to make available to an individual pursuant to 45 C.F.R. § 164.524 and the time, manner and form which the Business Associate shall provide such access.

e) notify the Business Associate, in writing, of any amendment(s) to PHI in the possession of the Business Associate that the Business Associate shall make and inform the Business Associate of the time, form and manner in which such amendment(s) shall be made.

5. COMPLIANCE WITH STANDARD TRANSACTIONS

Compliance with Standard Transactions by the Business Associate. If the Business Associate conducts in whole or in part Standard Transactions for or on behalf of SymCheck, the Business Associate shall:

a) comply and require all subcontractors and agents of the Business Associate to comply with each applicable requirement of 45 C.F.R. Part 162.

b) not enter into, or permit its subcontractors or agents to enter into, any trading partner agreement in connection with the conduct of Standard Transactions for or on behalf of SymCheck that:

(i)     alters the definition, data condition, or use of any data element or segment in any Standard Transaction;
(ii)    adds any elements or segments to the maximum defined data set;
(iii)   uses any code or data element that is marked "not used" in the Standard Transaction's specifications for execution or is not in the Standard Transaction's specifications for execution;
(iv)  changes the meaning or intent of the Standard Transaction's specifications for implementation.

6. REPRESENTATIONS AND WARRANTIES

Mutual Representations and Warranties of the Parties. Each party hereby represents and warrants to the other party:

a) that it is a duly organized, validly existing entity in good standing under the laws of the jurisdiction in which it is organized or licensed and it has full authority to enter into this Agreement and perform all obligations hereunder; and all necessary actions have been taken to duly authorize the full performance of its obligations hereunder and no such obligation will violate any provision of any license, corporate charter or bylaws which apply to such party.

b) that neither the execution of this Agreement, nor its performance hereunder, will directly or indirectly violate or interfere with the terms of any other executed agreement to which it is a party, or give any governmental entity the right to suspend, terminate or modify any of its governmental authorizations or assets required for its performance hereunder. Each party represents and warrants to the other party that it will not enter into any agreement the execution and/or performance of which would violate or otherwise interfere with this Agreement.

c) that it is not currently, or based on current knowledge, contemplating becoming the subject of a voluntary or involuntary petition in bankruptcy.

d) that all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this Agreement are or shall be appropriately informed of the terms of this Agreement and are under a legal obligation to each party, respectively, by contract or otherwise, sufficient to enable each party to fully comply with all provisions of this Agreement.

e) that it will reasonably cooperate with the other party in the performance of the mutual obligations under this Agreement.

f) that it has provided HIPAA training to its Workforce as required under the HIPAA Rules.

7. TERMS AND TERMINATION

7.1 Term. This Agreement shall become effective as of the Effective Date, and shall continue in effect until the earliest of: (1) all of the PHI provided by SymCheck to the Business Associate, or created or received by the Business Associate on behalf of SymCheck, is destroyed or returned to SymCheck (or, if it is infeasible to return or destroy such PHI, then such PHI shall continue to be protected as set forth in Section 7.4) and all other obligations of the parties have been met; (2) the Agreement is terminated by SymCheck as provided in Section 7.2; or (3) the Services Contract is completed, concluded or otherwise terminated, in which case this Agreement will terminate automatically and without the need for any further action or notice on the part of either SymCheck or Business Associate, and such automatic termination shall occur simultaneously with the conclusion, completion or termination of the arrangement for Services.

7.2 Termination by SymCheck. As provided for under 45 C.F.R. § 164.504(e)(2)(iii) and 45 C.F.R. § 164.314(a)(2)(i), SymCheck may immediately terminate this Agreement as to all or any specified contracts between SymCheck and the Business Associate, if SymCheck, in its sole discretion, determines that the Business Associate has breached a material term of this Agreement. SymCheck may exercise said right to terminate this Agreement by providing the Business Associate with written notice of its intent to terminate specifying the material breach of the Agreement that provides the basis for termination. Such termination may be effective immediately or at another date specified in the notice.

7.3 Opportunity to Cure. Notwithstanding Section 7.2 above, in SymCheck’s sole discretion, SymCheck may elect to: (i) provide the Business Associate with written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure the alleged material breach. Failure to cure within thirty (30) days shall constitute grounds for the immediate termination of this Agreement by SymCheck.

7.4 Effect of Termination. Upon the termination, cancellation, or any other conclusion of this Agreement, the Business Associate shall, if feasible, return to SymCheck or destroy all PHI, in whatever form or medium, pursuant to 45 C.F.R. § 164.504(e)(2)(ii)(I), including but not limited to PHI in the possession of its subcontractors and/or agents, within thirty (30) days of the effective date of the termination, cancellation or other conclusion of this Agreement.

a) Once all PHI in the Business Associate's possession or control, including but not limited to PHI in the possession or control of its subcontractors and/or agents, has been returned to SymCheck or destroyed, the Business Associate shall provide a written certification to SymCheck regarding the return or destruction of such PHI within such thirty (30) day period. Such certification shall be relied upon by SymCheck as a binding representation.

b) If the Business Associate believes that return or destruction of PHI in its possession and/or in the possession of its subcontractors or agents is infeasible, the Business Associate shall notify SymCheck of such infeasibility in writing. Said notification shall include: (i) a statement that the Business Associate has, in good faith, determined that it is infeasible to return or destroy the PHI in its possession and/or in the possession of its subcontractors or agents, as applicable, (ii) identification of the PHI that the Business Associate believes it is infeasible to return or destroy, and (iii) the specific reasons for such determination. In addition to providing such notification, the Business Associate shall certify within such thirty (30) day period that it will and will require its subcontractors or agents, as applicable, to limit any further uses and/or disclosures of such PHI to the purposes that make the return or destruction of the PHI infeasible.

8. INDEMNIFICATION

8.1 Indemnity. The Business Associate agrees to indemnify and hold harmless SymCheck and SymCheck's affiliates, trustees, officers, directors, medical or other professional staff members, employees, or agents (collectively called "Indemnitees") from and against any claims, causes of action, liability, damages, costs, fines, assessments, or expenses, including: attorneys' fees; court or proceeding costs; costs related to investigation, notification and credit monitoring services offered to affected individuals. (collectively called "Claims"), arising out of or in connection with any illegal, wrongful, non-permitted, unauthorized use or disclosure of PHI, including but not limited to a Breach, or other breach of this Agreement by the Business Associate or any subcontractor, agent, person or entity under the Business Associate's control.

8.2 Control of Defense. If any Indemnitees are named a party in any judicial, administrative or other proceeding arising out of or in connection with any use or disclosure of PHI not permitted by this Agreement or other breach of this Agreement by the Business Associate or any subcontractor, agent, individual or organization under the Business Associate's control, then Indemnitees shall have the option at any time either (i) to tender defense to the Business Associate, in which case the Business Associate shall provide qualified attorneys, consultants and other appropriate professionals to represent Indemnitee's interests at the Business Associate's expense, or (ii) undertake its own defense, choosing the attorneys, consultants and other appropriate professionals to represent its interests, in which case the Business Associate shall be responsible for and pay the reasonable fees and expenses of such attorneys, consultants and other professionals.

8.3 Control of Resolution. Indemnitees shall have the sole right and discretion to settle, compromise or otherwise resolve any and all Claims against them, notwithstanding that Indemnitees may have tendered defense to the Business Associate. Any such resolution will not relieve the Business Associate of its obligation to indemnify Indemnitees under this Section.

9. CONFIDENTIALITY

This Agreement does not affect any existing or future contracts or obligations between the parties to the degree those contracts or obligations do not involve the confidentiality, use, or disclosure of PHI. This Agreement, however, does supersede all existing and future contracts and obligations between the parties to the degree they involve the confidentiality, use, or disclosure of PHI unless the parties otherwise expressly agree in a future contract.

10. MISCELLANEOUS

10.1 Survival. The respective rights and obligations of the Business Associate and SymCheck under the provisions of Sections 3, 4, 7.4, and Section 8 hereto solely with respect to PHI the Business Associate retains in accordance with Section 7.4 because it is not feasible to return or destroy such PHI, shall survive termination of this Agreement indefinitely. In addition, Section 9 shall survive termination of this Agreement indefinitely, notwithstanding whether the Business Associate retains PHI in accordance with Section 7.4 hereto.

10.2 Amendments. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the parties and expressly amending this Agreement. Notwithstanding the foregoing, to the extent the Privacy Rule or Security Rule, or any other applicable law related to the privacy or security of health information is materially amended, updated, or revised following the execution of this Agreement, the parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for SymCheck to comply with the requirements of the Privacy Rule, the Security Rule, and HIPAA. The parties specifically intend and agree that this Agreement shall not be superseded inadvertently at a later date, and that no contracts between the parties on or after the effective date of this Agreement containing general statements purporting to supersede prior agreements shall have any effect on this Agreement, unless this Agreement is clearly and expressly referenced as being superseded.

10.3 Waiver. A waiver with respect to one event shall not be construed as continuing, or as a bar or waiver of any right or remedy as to subsequent events.

10.4 No Third-Party Beneficiaries. Nothing contained herein, whether express or implied, is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

10.5 Notice. Any notices to be given hereunder to a party shall be made via U.S. Mail, return receipt requested, or express courier to such party's address given in the initial paragraph of this Agreement (and if to SymCheck, then to the attention of "Chief Technology Officer" and such other persons as provided in the relevant part of this Agreement).

10.6 Disputes. If any controversy, dispute or claim arises between the parties with respect to this Agreement, the parties shall make good faith efforts to resolve such matters informally.

10.7 Regulatory References. Any reference to any part or section of the C.F.R. shall include such part or section as drafted upon the execution date of this Agreement and as it is subsequently updated, amended or revised.

10.8 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits SymCheck to comply to the greatest extent possible with the Privacy Rule and the Security Rule.

10.9 Limitation on Liability. With the exception of obligations under Section 8 of this Agreement, neither party shall be liable to the other party for any incidental, consequential, special, or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other party has been advised of the possibility of such loss or damages.

10.10 Equitable Relief. In addition to any legal remedies, SymCheck at any time may seek equitable remedies to compel the specific performance of this Agreement, or to avoid or end any actual or threatened breach of this Agreement.

10.11 No Waiver of Privileges. Nothing herein, or any notification or disclosure made hereunder, shall be interpreted as: (a) a waiver by either party of the attorney-client privilege, the peer review privilege, or any other applicable privilege or statutory protection available under federal or state law; or (b) requiring a disclosure of such information if otherwise privileged or prohibited by law, by rules of court, or by rules of professional conduct applicable to attorneys or to any other relevant professional group.

10.12 Conflicts. Any conflicts or inconsistencies between the terms in this Agreement and terms in any other agreements between the parties shall be resolved in favor of the terms in this Agreement, unless a different intention is expressly set out in the other agreement along with an express reference to this Agreement.

10.13 Other HIPAA Obligations. Business Associate acknowledges that pursuant to § § 13401 and 13404 of HITECH (42 U.S.C. § § 17931 and 17934), it is directly subject to HIPAA in its own right with respect to compliance with the Security Rule and certain provisions of the Privacy Rule, respectively, and that it is in compliance with such provisions, in addition to its obligations to comply with the provisions of this Agreement.