This Data Vendor Agreement (the "Agreement") is made between Medchart US Inc. dba SettLiT ("Company"), and the company referenced in the SettLiT Order Form and Services Agreement which incorporated this agreement by reference ("Customer").
I. Data Source Services Description. Data Vendor(s) is the combination of services facilitating Customer’s clients’ authorizing or consenting to the disclosure of laboratory results about such individuals to Customer, authorizing or consenting to the disclosure of prescription use and prescription coverage about such individuals to Customer, and/or authorizing or consenting to the disclosure of adjudicated final paid claims from health care payors about such individuals to Customer.
II. General Data Vendor Terms and Conditions. 1. Definitions. The following definitions shall apply to this Agreement
(a) "Authorization" means a written statement, signed by a Releasor, that contains the elements set forth on Exhibit A and any additional items required by applicable law, complies with all applicable laws, including HIPAA, state laws, and/or the Fair Credit Reporting Act ("FCRA"), and states that any entity holding PHI relating to the particularly named person may deliver a copy of such PHI to Customer, for Customer's use solely for the purposes stated in the Authorization, which shall be limited to (1) the submission of their life, disability income, long term care and health insurance applications and processing insurance claims, (2) providing medication history as part of participation in a research project, and (3) mass tort cases providing HITs to law firms. If AIDS Virus (HIV) Antibody/Antigen testing results are to be included, a specific reference to AIDS Virus (HIV) Antibody/Antigen testing is required.
(b) "Authorized Request" means a request by Distributor on behalf of Customer for PHI relating to a particular named person, based upon a legally valid Authorization for such release provided by a Releasor in accordance with applicable law, which Authorization has not been revoked or terminated.
(c) "Data Repository" means the various third-party data sources whose PHI is accessible through the Data Vendor’s System. The Parties agree that Data Vendor, Laboratories, and all Data Repositories are third‐party beneficiaries of this Agreement.
(d) "Data Vendor's System" means all of Data Vendor's technology and equipment which facilitate responding to Authorizations or otherwise are utilized by Data Vendor in connection with obtaining PHI from various laboratories ("Laboratories") and Data Repositories, including, without limitation, Data Vendor's central server systems, the requesting systems and all associated software. For purposes of this Agreement, Data Vendor's System shall also include third‐party products that Data Vendor uses in connection with Data Vendor's System or that Company accesses on behalf of Customer through Data Vendor's System.
(e) "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996 and its corresponding regulations codified at Title 45 parts 160 through 164 of the United States Code of Federal Regulations, as amended from time to time.
(f) "Medical Claims System" or "Medical Claims" means Data Vendor's services in providing an electronic system for accessing PHI relating to persons, pursuant to Authorizations, via Data Vendor's medical claims service technology.
(g) "Protected Health Information" or "PHI" means "protected health information" as defined in HIPAA.
(h) "Releasor" means a legally empowered individual who signs an Authorization that authorizes the release of PHI of the person listed on the Authorization.
(i) "Transaction" means a request by Company on behalf of Customer through the Data Vendor System for PHI.
2. Customer's Obligations. In addition to the obligations set forth in the other sections of this Agreement, Customer shall comply with the following obligations:
2.1
Compliance. Customer is responsible for assuring that Customer's use and disclosure of any and all information received pursuant to this Agreement, including PHI and HIV‐related testing results, complies with all applicable laws and regulations, including but not limited to Fair Credit and Reporting Act, as amended, HIPAA, state laws relating to disclosure of HIV testing results, state laws related to medical records and insurance information privacy, and laws and regulations of any regulatory agency with jurisdiction over Customer. Without limiting the foregoing, Customer acknowledges that Company's use of Data Vendor on behalf of Customer may result in the creation of a "Consumer Report" subject to the FCRA. The FCRA establishes legal obligations upon users of Consumer Reports. Those obligations are described in the Notice to Users of Consumer Reports attached as Exhibit B to this Agreement. Customer is solely responsible for determining whether its use of Data Vendor is subject to the FCRA and, if so, for its own FCRA compliance. Customer shall provide any notices required under FCRA if Customer takes any "adverse action" (as defined in FCRA) against a person because of information obtained from Data Vendor.
2.2
Training. Customer agrees to adopt appropriate policies for the protection and handling of PHI and proper accessing of PHI pursuant to this Agreement and train its personnel on such policies. In addition, Customer shall require all personnel accessing PHI pursuant to this Agreement or otherwise interacting with Data Vendor to complete training that addresses all of the items set forth on Exhibit C to this Agreement. Customer shall limit access to PHI obtained under this Agreement to those Customer personnel who are required to have access to PHI in the course of Customer's business, who have been trained consistently with this section, who have been informed of the confidential nature of the PHI and who have agreed to keep such information confidential.
2.3
Authorization Forms. Customer shall submit to Company a true and complete copy of each form of Authorization it uses currently or proposes to use. Customer may not submit queries to Company to obtain PHI through Data Vendor except by using approved Authorization forms. Customer shall promptly (i) notify Company in writing of any changes to its Authorization forms made during the term of this Agreement, and (ii) provide Company with a copy of all such revised forms, and (iii) obtain Company or Data Vendor's prior approval before using a revised Authorization form.
2.4
Records. For each Authorized Request, Customer shall perform the following services (collectively, the "Customer Services"): (a) verification of the Releasor's identity and authority consistent with 45 CFR §164.514(h) and all applicable laws; (b) reviewing each Authorization to confirm compliance with the requirements of 45 CFR §164.508(b) and all applicable laws, including confirmation that the Releasor has properly executed the Authorization, (c) retention of all Authorizations obtained or used by Customer with respect to receiving PHI pursuant to the Agreement and documentation of all Authorized Requests and the basis for allowing access to PHI pursuant to such Authorized Requests, for at least six (6) years from the date the Authorization was last in effect; and (d) providing documentation required to be retained pursuant to this section to Company, Data Vendor, and the Data Repositories promptly upon request, but no later than two (2) business days after the request. Customer will provide all of the Customer Services in compliance with HIPAA and applicable law.
2.5
Audit Rights. Company, Laboratories, Data Vendor, and the Data Repositories shall have the right to audit Customer at any reasonable time, upon reasonable notice, to confirm Customer's compliance with this Agreement, during the duration of this Agreement and for the duration of Customer's obligation to retain the Authorizations pursuant to this Agreement (regardless of any termination of this Agreement). Customer will participate in and cooperate with Company, Laboratories, Data Vendor, and the Data Repositories in performing the Audit Process described on Exhibit D to this Agreement. If Customer does not return 100% of the required Authorized Requests in previously approved form and within the time required, Customer will be considered for immediate suspension or termination by Company. Company, Laboratories, Data Vendor, and Data Repositories may, on an ad hoc basis, request specific Authorizations from Customer, and Customer will provide copies of these requested Authorizations within two (2) business days.
2.6
Breach of Confidentiality. Customer and Company shall preserve the confidentiality and electronic security of the PHI accessed through Data Vendor, consistent with applicable law. If Customer becomes aware of any instance in which PHI accessed is received without an Authorization or improperly used, disclosed or the confidentiality of such PHI is otherwise breached, Customer shall immediately notify Company at the email privacy@marbleapi.com.
2.7
Access Requirements. Customer represents and warrants that it will only request Company to access Data Vendor System's pursuant to Authorized Requests and in compliance with the terms and conditions of this Agreement; (b) Customer shall use and disclose PHI obtained via the Data Vendor System in compliance with, and for such purposes authorized by, the applicable Authorizations, which may only be those set forth in the definition of "Authorization", and only in accordance with all applicable laws; (c) it will not request the PHI of any person who has not granted an Authorization; (d) Authorizations used by Customer shall comply with all applicable laws and on a form approved in advance by Company and Data Vendor; (e) it will not request Company to query the Data Vendor System pursuant to an Authorization that has been revoked or terminated; and (f) it will not make any other use, disclosure, copy, compilation or summary of any PHI provided by Company under this Agreement, except as otherwise required or permitted by applicable law or regulation.
2.8
Annual Certification. Customer shall annually certify to Company and Data Vendor that: (a) Customer has tracked and reported all data breaches and revocations or rescissions of Authorizations that are related to data from the Data Vendor System; (b) Customer has trained all of its users on proper privacy and security regarding the use of the Data Vendor System; (c) Customer has maintained confidentiality of data obtained from the Data Vendor System and complied with all applicable privacy laws; and (d) Customer has used only Authorization forms approved by Data Vendor.
3. Limitation of Remedies and Indemnification. 3.1
Customer's Indemnification Obligations. Customer agrees to defend Data Vendor, Laboratories, and the Data Repositories and their respective affiliates against and hold them harmless from all third party claims, damages and liabilities resulting from Customer's breach of this Agreement, including but not limited to the use of a legally‐inadequate Authorization, provided that Company, Data Vendor, Laboratory, or a Data Repository, as the case may be, gives Customer prompt, written notice of any such claim, and all reasonable assistance to defend such claim. The indemnified party shall not agree to settle the claim without Customer's prior written consent, provided that such consent is not unreasonably withheld, conditioned or delayed. This indemnification provision shall not be deemed to waive or limit any other rights.
4. Term and Termination. 4.1 Term and Surviving Terms. The term of this Agreement commences as of the date set forth in the applicable order form and shall continue for one (1) year thereafter, provided that the term of this Agreement shall automatically renew for additional one (1) year terms unless earlier terminated as provided in this Agreement or unless either party provides at least thirty (30) days' notice of its intent to terminate this Agreement. All sections of this Agreement relating to confidentiality, records, audits, indemnification or limitations of liability shall survive termination or expiration of this Agreement. Upon termination of this Agreement, Customer shall promptly stop any further requests to Data Vendor via Company. Customer shall be entitled to keep copies of PHI only as permitted by the applicable Authorizations and only for use as permitted by such Authorizations.
4.2 Termination for Breach. If one party breaches any material provision of this Agreement, the non‐ breaching party may begin the process to terminate this Agreement by giving written notice of termination to the breaching party. If the breach is capable of being cured and is reasonably cured within thirty (30) days after receipt of the notice, the termination shall not become effective. If the breach is not capable of being cured or is not reasonably cured within thirty (30) days after receipt of the notice, the non‐breaching party may terminate this Agreement by delivering a second notice to the breaching party, specifying a termination date not later than ninety (90) days after the expiration of the cure period. Notwithstanding the foregoing, if Customer breaches any material provision of this Agreement, Company may immediately suspend Customer's access to PHI from Data Vendor upon written notification of suspension to the Customer.
4.3 Termination Without Cause. Either Party may terminate this Agreement without cause by providing the other Party ninety (90) days prior written notice of such termination to the other Party.
5. General.5.1 Integration Clause. Except as otherwise stated in this Agreement, this Agreement constitutes the entire understanding between the parties and supersedes all prior proposals, communications and agreements between the parties relating to its subject matter. No amendment, change, or waiver of any provision of this Agreement will be binding unless in writing and signed by both parties. In the event one or more of the provisions of this Agreement are found to be invalid, illegal or unenforceable by a court with jurisdiction, the remaining provisions shall continue in full force and effect.
5.2 Assignments. Neither Customer nor Company may assign or transfer this Agreement or any of the rights or licenses granted under it, without the prior, written consent of the other party, which shall not be unreasonably withheld. Any attempted assignment without consent shall be void.
5.3 Accuracy, Ownership of PHI. Data Vendor warrants that, to its knowledge, all PHI provided to Customer under the terms of this Agreement is consistent with the PHI available from Data Repositories and Laboratories. Neither Company nor Data Vendor shall be responsible for any inaccuracies in the data provided to it. Nothing in this Agreement shall be interpreted to require Data Vendor to provide or access PHI which Data Vendor is legally prohibited from releasing or which is contractually or otherwise unavailable to Company. Nothing in this Agreement shall grant or provide Customer any ownership or interest in the PHI provided under this Agreement, beyond the right to use as specified herein and as permitted by applicable law or regulation. Customer acknowledges that, for purposes of matching up a Releasor to a patient in the Laboratories' laboratory databases, Data Vendor needs sufficient demographic information about each Releasor from Company on behalf of Customer. Customer shall provide Company with adequate identifying information for purposes of enabling the matching of the Releasor to the Laboratories' patient.
5.4 Limitations. The Data Vendor System may be used only internally by Customer. Customer shall not grant any other party or individual access to the Data Vendor System or redisclose PHI obtained from Data Vendor to any third party except as required to carry out the purposes stated in an Authorization or as permitted by law, regulation or court order. Notwithstanding any provision of this Agreement to the contrary, in no event shall Customer, directly or indirectly, disclose any results received through the Data Vendor System to any Data Vendor competitor without Data Vendor's prior written approval. Customer's reliance upon PHI from the Data Vendor System, including (where applicable) determination or establishment of an individual's health risk and/or eligibility for life or other insurance coverage, is solely within Customer's discretion. For insurance uses, Data Vendor does not determine an individual's health risk and/or eligibility for life or other insurance coverage. Notwithstanding anything to the contrary in the Agreement, for insurance uses, insurance underwriting decisions shall remain solely the responsibility of Distributor's Customer. Customer shall not make any promises, statement, representations, or warranties regarding the Data Vendor System except as expressly authorized in this Agreement. Customer and its employees, officers, directors, managers, agents, contractors or subcontractors, shall not, directly or indirectly, or permit any third party to: (a) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise exploit or make the Data Vendor System available to any third party; (b) reverse engineer, decompile, translate, adapt, modify, copy, revise, enhance, create derivative works of, or otherwise alter the Data Vendor System; (c) send or store viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs; (d) interfere with or disrupt the integrity or performance of the Data Vendor System; (e) use the Data Vendor System for unlawful purposes or for any purpose not expressly permitted by this Agreement; or (f) access the Data Vendor System in order to (i) build a competitive product or service; or (ii) copy any ideas, features, functions, information, or materials therein.
5.5 Notices. Any notices relating to this Agreement shall be in writing and will be sent electronically by email, which shall be considered legal notice if such email includes "FORMAL LEGAL NOTICE" in the subject line, or physically by overnight delivery with proof of delivery receipt, addressed to the party as set forth below, or at a different address as a party has notified the other party in writing.
6. Exhibits6.1 Exhibit A: Authorization Requirements.6.2 Exhibit B: Notice of consumer Reports: Obligations of Users Under the FCRA.
6.3 Exhibit C: Training.
6.4 Exhibit D: Authorization Audit.
This Agreement was last updated on
January 1, 2025
.png)