Business Associate Agreement

This Business Associate Agreement (this "Agreement") is a contract between you and StartBox, Inc. (“StartBox” or “Us” or “We”) and governs our compliance with, and your rights and obligations with respect to, the HIPAA Rules (as defined below) and the HITECH Act (as defined below) in connection with your use of the Service (as defined in our Terms of Use. By accessing, using, subscribing, purchasing or downloading any goods, materials or content from the Service you agree to follow and be bound by this Agreement. If you do not agree to this Agreement, you may not use the Service.

NOTICE OF ARBITRATION AGREEMENT AND CLASS ACTION WAIVER: THIS AGREEMENT INCLUDES A BINDING ARBITRATION CLAUSE AND A CLASS ACTION WAIVER, SET FORTH BELOW, WHICH AFFECT YOUR RIGHTS ABOUT RESOLVING ANY DISPUTE WITH US. PLEASE READ IT CAREFULLY.

This Agreement is governed by the Electronic Signatures in Global and National Commerce Act. You manifest your agreement to the terms and conditions in this Agreement by any act demonstrating your assent thereto, including clicking any button containing the words “I agree” or similar syntax, by accessing the Service, by establishing an account, or using the Service, whether you have read this Agreement or not. You should print a copy of this Agreement for your personal records. This Agreement may be changed by StartBox as provided in Section 7 below. By continuing to access or use the Service after the effective date of any such change, you agree to be bound by the modified Agreement.

1. Definitions.

Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule, Security Rule, and HITECH Act.

• “Breach” shall have the same meaning as the term “breach” in 45 CFR § 164.402.
• “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR § 164.501.
• “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR § 164.501.
• “Disclosure” and “Disclose” shall have the same meaning as the term “disclosure” in 45 CFR § 160.103.
• “Dispute” will have the broadest meaning possible and means any dispute, action, or other controversy between you and StartBox relating to the Service, any transaction or relationship between you and StartBox resulting from your use of the Service, communications between you and StartBox, or this Agreement – whether in contract, warranty, tort, laws, or regulations;
• “Electronic Health Record” shall have the same meaning as the term in Section 13400 of the HITECH Act.
• “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
• “HITECH Act” shall mean The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009, specifically DIVISION A: TITLE XIII Subtitle D - Privacy, and its corresponding regulations as enacted under the authority of the Act.
• “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
• “Minimum Necessary” shall mean the Privacy Rule Standards found at §164.502(b) and § 164.514(d)(1).
• “Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
• "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by StartBox on your behalf.
• "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.103.
• "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.
• “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR § 164.304.
• “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. parts § 160 and § 164, Subparts A and C.
• “Subcontractor” shall mean a person or entity “that creates, receives, maintains, or transmits protected health information on behalf of a business associate” and who is now considered a business associate, as the latter term is defined in 45 CFR § 160.103.
• “Subject Matter” shall mean compliance with the HIPAA Rules and with the HITECH Act.
• “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.
• “Use” shall have the same meaning as the term “use” in 45 CFR § 164.103.

2. Our Obligations

StartBox agrees to not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.

StartBox agrees to use appropriate safeguards to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement. StartBox further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act.

StartBox agrees to mitigate, to the extent practicable, any harmful effect that is known to us resulting from our Use or Disclosure of Protected Health Information in violation of the requirements of this Agreement. StartBox further agrees to report to you any Use or Disclosure of Protected Health Information not provided for by this Agreement of which we become aware, and in a manner as prescribed herein.

StartBox agrees to report any Breach of your Unsecured Protected Health Information to you within ten (10) business days of discovery of said Breach; all other compromises of your Protected Health Information shall be reported to you within twenty (20) business days of discovery. StartBox further agrees, consistent with Section 13402 of the HITECH Act, to provide you, via email or phone call, with information necessary for you to meet the requirements of said section.

StartBox agrees to ensure that any Subcontractor, to whom StartBox provides Protected Health Information, agrees to the same restrictions and conditions that apply through this Agreement to StartBox with respect to such information. StartBox further agrees that restrictions and conditions analogous to those contained herein shall be imposed on said Subcontractors via a written agreement that complies with all the requirements specified in § 164.504(e)(2), and that StartBox shall only provide said Subcontractors Protected Health Information consistent with Section 13405(b) of the HITECH Act.

StartBox agrees to provide you access to Protected Health Information in a Designated Record Set, and make amendments thereto, in order to meet the requirements under the HIPAA Rules and the HITECH Act.

Unless otherwise protected or prohibited from discovery or disclosure by law, StartBox agrees to make internal practices, books, and records, including policies and procedures (collectively “Compliance Information”), relating to the Use or Disclosure of Protected Health Information and the protection of same, available to you or to the Secretary for purposes of the Secretary determining your compliance with the HIPAA Rules and the HITECH Act. StartBox further agrees, upon request, to provide you with demonstrable evidence that its Compliance Information ensures StartBox’s compliance with this Agreement over time. StartBox shall have a reasonable time within which to comply with requests for such access and/or demonstrable evidence, consistent with this Agreement. In no case shall access, or demonstrable evidence, be required in less than ten (10) business days after StartBox’s receipt of such request, unless otherwise designated by the Secretary.

StartBox agrees to maintain necessary and sufficient documentation of Disclosures of Protected Health Information as would be required for you to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528.

Upon request, StartBox agrees to provide to you documentation made in accordance with this Agreement to permit you to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. StartBox shall provide said documentation in a manner and format to be specified by you. StartBox shall have a reasonable time within which to comply with such a request from you and in no case shall StartBox be required to provide such documentation in less than five (5) business days after StartBox's receipt of such request.

Except as provided for in this Agreement, in the event StartBox receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, StartBox shall redirect the Individual to you.

3. Permitted Uses and Disclosures

Except as otherwise limited by this Agreement, StartBox may make any Use and Disclosure of Protected Health Information necessary to perform its services and otherwise meet its obligations under this Agreement, if such Use or Disclosure would not violate the Privacy Rule, or the privacy provisions of the HITECH Act, if done by you. All other Uses or Disclosures by StartBox not authorized by this Agreement, or by your specific instruction, are prohibited.

Except as otherwise limited in this Agreement, StartBox may Use Protected Health Information for the proper management and administration of StartBox or to carry out the legal responsibilities of StartBox.

Except as otherwise limited in this Agreement, StartBox may Disclose Protected Health Information for the proper management and administration of StartBox, provided that Disclosures are Required By Law, or StartBox obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used, or further Disclosed, only as Required By Law, or for the purpose for which it was Disclosed to the person, and the person notifies StartBox of any instances of which it is aware in which the confidentiality of the information has been breached.

Except as otherwise limited in this Agreement, StartBox may Use Protected Health Information to provide Data Aggregation services to you as permitted by 45 CFR §164.504(e)(2)(i)(B). StartBox further agrees that said services shall not be provided in a manner that would result in Disclosure of Protected Health Information to another covered entity who was not the originator and/or lawful possessor of said Protected Health Information.

StartBox may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).

StartBox shall make Uses, Disclosures, and requests for Protected Health Information consistent with the Minimum Necessary principle as defined herein.

4. Your Obligations

You shall notify StartBox of the provisions and any limitation(s) in your notice of privacy practices, to the extent that such provisions and limitation(s) may affect our Use or Disclosure of Protected Health Information.

You shall notify StartBox of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect our use or disclosure of Protected Health Information.

You shall notify StartBox of any restriction to the use or disclosure of Protected Health Information that you have agreed to, and also notify StartBox regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect our Use or Disclosure of Protected Health Information.

You shall notify StartBox of any modifications to accounting disclosures of Protected Health Information under 45 CFR § 164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect our use or disclosure of Protected Health Information.

You shall not require StartBox to Use or Disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by you.

5. Termination

The Agreement shall terminate when all of the Protected Health Information provided by you to StartBox, or created or received by StartBox on your behal, is destroyed or returned to you, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Agreement.

6. Dispute Resolution and Class Action Waiver

In the event of a Dispute between you and StartBox (including any dispute over the validity, enforceability, or scope of this dispute resolution provision), other than with respect to claims for injunctive relief, the Dispute will be resolved by binding arbitration pursuant to the rules of the American Arbitration Association Commercial Arbitration Rules. The place of the arbitration shall be in Atlanta, Georgia. In the event that there is any Dispute between you and StartBox that is determined not to be subject to arbitration pursuant to the preceding sentence, you agree to submit in that event to the exclusive jurisdiction and venue of the state and federal courts located in Atlanta, Georgia. You agree that this Agreement and the relationship between you and StartBox shall be governed by the Federal Arbitration Act and the laws of the State of Georgia without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods. Notwithstanding this, either party shall still be allowed to apply for injunctive or other equitable relief to protect or enforce that party's Intellectual Property Rights in any court of competent jurisdiction where the other party resides or has its principal place of business.

Any proceedings to resolve or litigate any Dispute in any forum will be conducted solely on an individual basis. Class arbitrations, class actions, private attorney general actions, consolidation of your Dispute with other arbitrations, or any other proceeding in which either party acts or proposes to act in a representative capacity or as a private attorney general are not permitted and are waived by you, and an arbitrator will have no jurisdiction to hear such claims. If a court or arbitrator finds that the class action waiver in this section is unenforceable as to all or some parts of a Dispute, then the class action waiver will not apply to those parts. Instead, those parts will be severed and proceed in a court of law, with the remaining parts proceeding in arbitration. If any other provision of this Dispute resolution section is found to be illegal or unenforceable, that provision will be severed with the remainder of this section remaining in full force and effect.

7. General

1. Regulatory References.

A reference in this Agreement to a section in the Privacy Rule, Security Rule, or HITECH Act means the section as in effect or as amended.

2. Interpretation.

Any ambiguity in this Agreement shall be resolved to permit you and StartBox to comply with the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations.

3. Assignment

This Agreement, and any rights and licenses granted hereunder, may not be transferred or assigned by you, but may be assigned by StartBox without restriction. Any attempted transfer or assignment in violation hereof shall be null and void.

4. Notification Procedures and Changes to the Agreement

StartBox may provide notifications, whether such notifications are required by law or are for marketing or other business related purposes, to you via email notice, written or hard copy notice, or through posting of such notice on our website, as determined by StartBox in our sole discretion. StartBox reserves the right to determine the form and means of providing notifications to you, provided that you may opt out of certain means of notification as described in this Agreement. We are not responsible for any automatic filtering you or your network provider may apply to email notifications we send to the email address you provide us. StartBox may, in its sole discretion, modify or update this Agreement from time to time, and so you should review this page periodically. When we change the Agreement in a material manner, we will update the ‘last modified’ date at the bottom of this page. Your continued use of the Service after any such change constitutes your acceptance of the new Terms & Conditions. If you do not agree to any of these terms or any future Terms & Conditions, do not use or access (or continue to access) the Service.

5. Entire Agreement/Severability

This Agreement, together with any amendments and any additional agreements you may enter into with StartBox in connection with the Service, shall constitute the entire agreement between you and StartBox concerning the Service. If any provision of this Agreement is deemed invalid by a court of competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions of this Agreement, which shall remain in full force and effect.

6. Contact

Please contact us at contact@startboxor.com with any questions regarding this Agreement.

This Agreement was last modified on March 31, 2018.