Legal

Cloud Services Agreement

This Cloud Services Agreement is entered into on the Effective Date and is by and between the Customer identified above and Redox, Inc., with a principal place of business at 2020 Eastwood Drive, Madison, WI 53704.

1. Services

a. Subscription to Services. Subject to the terms of this Agreement, Redox grants Customer a limited, revocable, non-exclusive, non-sublicensable, non-transferable right to: (a) access and use the Services; (b) integrate with the Services, and (c) allow End Users to use the Services solely in connection with the use of the Customer Product and not on a stand-alone basis. The SLAs associated with the Services are described at Service Level Agreement.

b. Dashboard. As part of receiving the Services, Customer will have access to the Dashboard to administer and monitor the Services.

c. Technical Support. The Services include the technical support described at Service Level Agreement.

d. Restrictions. The Services and the Platform are the valuable proprietary intellectual property of Redox. Accordingly, Customer will not: (i) except as expressly provided above (Subscription to Services) license, sell, rent, assign or transfer, or make the Services or Platform available to any third party or otherwise commercially exploit the Services or Platform; (ii) modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Services or Platform; (iii) use the Services or Platform in order to build a product or service that replicates or attempts to compete with the Services; or (viii) attempt to circumvent or disable any of the security-related, management, or administrative features of the Services or Platform.

2. Modifications

a. Modifications.

i. Services, SLAs. Redox may make new features and functionality available during the Term, provided that Redox will provide thirty (30) days written notice if any modifications cause a material degradation to the Services. Redox may modify the SLAs with thirty (30) days written notice.

ii. Redox APIs. Redox may make modifications to the Redox API from time to time. Redox will provide at least six (6) months written notice if modifications to the Redox API are not backwards compatible. Customer is responsible for remaining compliant with the requirements of the Redox API.

iii. Effect of Modifications. If any of the modifications in this section cause a material degradation to the Services or SLAs (as applicable), then Customer may terminate the Services for breach. By continuing to use the Services after the effective date of any modifications noted in this Section, Customer agrees to be bound by the modifications.

b. End of Life. Redox may end-of-life a Service, or a specific feature or function of a Service, upon ninety (90) days written notice. Such service or specific feature or function will remain available through the longer of (i) the end of the notice period, or (ii) the end of the then current Term of the Services.

3. Fees; Taxes

a. Fees. Customer agrees to pay the fees for the Services as set forth in the Order Form, without deduction for any Taxes. All fees are due net thirty (30) days from invoice. Fees that are not disputed within sixty (60) days of the date on which they are charged are deemed to be accurate and owing (if not paid) and Customer waives any rights or claims related to those fees.

b. Increases. Unless specifically stated otherwise in the Order Form, Redox may only increase fees on renewal of the Services and not during the term of the Services.

c. Interest, penalties. If Customer is overdue on any payment of undisputed fees and fails to pay within ten (10) business days of a written notice of overdue payment, then Redox may assess a late fee. The late fee will be either 1.0% per month, or the maximum amount allowable by Applicable Law, whichever is less. Customer will also be responsible for any reasonable costs of collection relating to overdue fees.

d. Taxes. The fees do not include any Taxes. Customer agrees to pay all Taxes on the Services that Redox is required by Applicable Law to collect. Invoices will identify any Taxes as a separate line item. If Customer is exempt from paying taxes on the Services, Customer will provide Redox with reasonable proof of tax-exempt status. For clarity, Redox is solely responsible for taxes based on its income, property and employees.

4. Representations and Warranties

a. By Customer. Customer represents and warrants (i) it has validly entered into this Agreement and has the legal power to do so; (ii) it will obtain and maintain any required consents necessary to permit the processing of Customer Data under this Agreement; and (iii) its use of the Services will not violate Applicable Law or the terms of this Agreement.

b. By Redox. Redox represents and warrants (i) it has validly entered into this Agreement and has the legal power to do so, (ii) the Services will perform materially in accordance with the Documentation, and (iii) the functionality of the Services will not be materially decreased during a Term. For any breach of a warranty in this section, Customer’s exclusive remedy shall be re-performance or termination as set forth in this Agreement.

c. Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN ALL SERVICES ARE PROVIDED “AS-IS”. REDOX AND ITS SUPPLIERS AND LICENSORS DISCLAIM ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, TITLE, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. REDOX DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, COMPLETELY SECURE, OR THAT ALL DEFECTS WILL BE CORRECTED.

5. Intellectual Property Rights

As between the parties, (i) Redox exclusively owns and reserves all right, title and interest in and to the Services, Documentation, Platform and Redox Confidential Information, including all Intellectual Property Rights to the foregoing, and (ii) Customer exclusively own and reserve all right, title and interest in and to the Customer Product, Customer Data and Customer Confidential Information, including all Intellectual Property Rights to the foregoing.

6. Information Security; Backups

a. By Customer. Customer agrees to implement reasonable and appropriate physical, technical and administrative security measures to (i) protect the Customer Product from unauthorized access, (ii) to prevent the introduction of Malicious Code into the Redox Platform and/or Services and (iii) and maintain the security of Customer’s account, passwords (including, but not limited to, administrative and user passwords) and files, (iv) ensure that its End Users also abide by the foregoing. Customer also agrees it is responsible for backing up all Customer Data.

b. By Redox. Redox agrees to implement reasonable and appropriate physical, technical and administrative security measures to (i) help secure Customer Content against accidental or unlawful loss, access or disclosure, (ii) protect the integrity of the Platform and the Services, and (iii) to prevent the introduction of Malicious Code into the Customer Product. In addition, Redox maintains a compliance program that includes third party audits and certifications and will make reports from such available to Customer upon written request.

7. Confidential Information

a. Use of Confidential Information. The receiving party will (i) not use any Confidential Information of the disclosing party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the disclosing party in writing, not voluntarily disclose Confidential Information of the disclosing party to any third party, except to those of its and its Affiliates’ employees, contractors and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements containing protections no less stringent than those in this Agreement.

b. Compelled Disclosure. A receiving party may also disclose Confidential Information to the extent required by Applicable Law; provided that the receiving party uses commercially reasonable efforts to: (i) promptly notify the other party of such disclosure before disclosing; and (ii) comply with the other party’s reasonable requests regarding its efforts to oppose the disclosure. Notwithstanding the foregoing, subsections (i) and (ii) above will not apply if the receiving party reasonably determines that complying with (i) and (ii) could: (a) result in a violation of law, (b) obstruct a governmental investigation, and/or (c) lead to death or serious physical harm to an individual.

c. Degree of Care. The receiving party agrees to use the same degree of care that it uses to protect the confidentiality of its own Confidential Information of (but in no event less than reasonable care).

d. Injunctive Relief. The parties expressly acknowledge and agree that no adequate remedy exists at law for an actual or threatened breach of this section and that, in the event of an actual or threatened breach of the provisions of this section, the non-breaching party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it. Each party will promptly notify the other in writing if it becomes aware of any violations of the confidentiality obligations set forth in this Section.

8. Business Associate Provisions

The parties agree that the transfer, use and processing of Protected Health Information is governed by the Business Associate Agreement attached as Appendix 1 to this Agreement.

9. Beta Offerings

Redox may make Beta Offerings available to Customer and the features within a Beta Offering are subject to frequent change. Customer may choose to utilize Beta Offerings or not in its sole discretion. Redox may discontinue Beta Offerings at any time in its sole discretion and may decide not to make a Beta Offering generally available. Beta Offerings are not “Services” under this Agreement, are provided “AS IS” and no SLAs apply to Beta Offerings.

10. Term; Termination; Suspension

a. Term of Cloud Services Agreement. This Agreement begins on the Effective Date and will remain in effect as long as any Order Forms are outstanding, unless terminated sooner in accordance with the terms below.

b. Term of Order Form. Each Order Form shall have the initial term designated therein (the “Initial Term”), and will automatically renew for successive one (1) year periods or such other period as designated in the Order Form (each, a “Renewal Term”), unless either party provides a written notice of non-renewal at least forty-five (45) days prior to the renewal date. The Initial Term and Renewal term are collectively referred to in this Agreement as the “Term”.

c. Termination for Cause. Either party may terminate this Agreement or the applicable Order Form if (i) the other party is in material breach of the Agreement or the Order Form and fails to cure the breach within thirty (30) days after receipt of written notice; or (ii) the other party ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within ninety (90) days.

d. Effect of Termination. Upon termination of the Agreement, for any reason other than a termination by Redox for Customer’s breach, each Order Form then in effect will remain in effect through its Term, but will not renew. Effective immediately upon the termination of an Order Form, the Services will no longer be available and Redox may erase all Customer Data stored in the Platform or the Services. All Confidential Information and Documentation, including all copies thereof, must be returned to the disclosing party or permanently destroyed.

e. Suspension.

i. Suspension Rights. Redox may, upon written notice, suspend all or a portion of the Services, if Redox reasonably determines that Customer’s use of the Services : (x) poses a material threat to the security or stability of the Platform or Services; (y) is fraudulent, or (z) violates Applicable Law or misappropriates or infringes the Intellectual Property Rights of a third party. In addition, Redox may suspend the Services at any time if fees are more than thirty (30) days overdue.

ii. Effect of Suspension. Redox’s notice of suspension will identify the reason for the suspension and will limit the suspension as narrowly as possible. Fees will continue to continue to accrue during any suspension and SLAs will not apply during the suspension.

iii. Reinstatement. Redox will lift any suspension promptly when the circumstances giving rise to the suspension have been resolved.

11. Limitation of Liability

a. Indirect and Consequential Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR GOODWILL, OR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.

b. Liability Cap. IN NO EVENT WILL THE AGGREGATE LIABILITY OF EACH PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE CLAIM. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

c. Exceptions. The limitations of liability do not apply to a party’s indemnification obligations below or Customer’s payment obligations, PROVIDED THAT, IN NO EVENT WILL REDOX’S AGGREGATE LIABILITY IN CONNECTION WITH A SECURITY INCIDENT (AS DEFINED IN HIPAA) EXCEED THE GREATER OF $250,000 OR THREE (3X) THE AMOUNTS PAID OR PAYABLE BY CUSTOMER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE CLAIM.

12. Indemnification

a. By Customer. Customer will defend and indemnify Redox and its Affiliates against Indemnified Liabilities under a Third Party Claim to the extent arising from: (i) its breach of the representation and warranty section of this Agreement, (ii) an allegation that the Customer Content or Customer Product infringes or misappropriates the Intellectual Property Rights of a third party; and (ii) any Claim from an End User with respect to the Application.

b. By Redox. Redox will defend and indemnify Customer and its Affiliates against Indemnified Liabilities in any Third Party Claim to the extent arising from: (i) its breach of the representation and warranty section of this Agreement, or (ii) an allegation that the Services infringe or misappropriate the Intellectual Property Rights of a third party. If Redox reasonably believes the Services may infringe or misappropriate, in addition to Redox’s defense and indemnification obligations above, Redox may in its discretion and at no cost to Customer (x) modify the Services so that they are no longer infringing or misappropriating, (y) obtain a license for continued use of the Services in accordance, or (z) terminate the Services and refund to Customer any prepaid fees covering the remainder of the Term of such Services, if any. Redox shall have no defense and indemnification obligations under this Section to the extent the Third Party Claim arises from the Customer Product, the Customer Content or Customer’s use of the Services in a manner for which they were not intended or not authorized under this Agreement or the Documentation.

c. General Process. Each party’s indemnification obligations in this section will only apply to the extent the indemnified party (i) has promptly notified the indemnifying party in writing of the Third Party Claim and cooperates reasonably with the indemnifying party to resolve the Third Party Claim, and (ii) the indemnified party tenders sole control of the Third Party Claim to the indemnifying party, subject to the following: (x) the indemnified party may appoint its own non-controlling counsel, at its own expense; and (y) any settlement requiring the indemnified party to admit liability, pay money, or take (or refrain from taking) any action, will require the indemnified party’s prior written consent, not to be unreasonably withheld, conditioned, or delayed.

13. General

a. Amendments. Except as expressly stated otherwise in this Agreement, any amendment must be in writing and signed by both parties in order to be effective.

b. Relationship of the parties. The parties agree that they are each independent parties. Neither party is an agent of the other for any purpose or has the authority to bind the other. Nothing in this Agreement is intended to create or will be construed as creating an employer-employee relationship or a partnership, agency, joint venture, or franchise.

c. an Affiliate or in connection with a Change of Control. In the event of a Change of Control, the assigning party will give written notice to the other party within thirty days after the Change of Control.

d. Severability. If any term (or part of a term) of this Agreement is invalid, illegal, or unenforceable, the rest of the Agreement will remain in effect.

e. No Waiver. Neither party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under this Agreement.

f. Governing Law; Venue; Jurisdiction. The laws of the State of Delaware, without reference to its choice of law principles, govern this Agreement and any disputes or claims arising out of it. All disputes or claims will be resolved in the state and federal courts in Wilmington, Delaware, and each party irrevocably consents to the exclusive venue and personal jurisdiction of those courts. The parties also agree that the United Nations Convention on Contracts will not apply to this Agreement.

g. Force Majeure. No failure, delay or default in performance of any obligation of a party will be a breach of this Agreement if that arises out of a cause (existing or future) that is beyond the control of and without negligence of such party. This includes any actions or inactions of governmental, civil or military authority; fire; strike, lockout or other labor dispute; flood, terrorist act; war; riot; theft; earthquake and other natural disaster. The party affected by that type of cause will take all reasonable actions to minimize the consequences of any such cause.

h. Compliance with Laws. The parties agree to comply with Applicable Laws with respect to its obligations under this Agreement.

i. Export Controls. The Services may be subject to applicable export control and economic sanctions laws of the U.S. and other jurisdictions. The parties each agree to comply strictly with all domestic and international export laws and economic sanctions regulations, in the case of Redox, in providing the Services, and, in the case of Customer, in receiving and using the Services respectively, and to the extent consistent with this Agreement, Customer will obtain any necessary license or other authorization to export, re-export, or transfer the Services.

j. Survival; Scope Of Agreement; Entire Agreement. Any sections in this Agreement containing warranty disclaimers, confidentiality obligations, limitations of liability and/or indemnity terms, and any other term of the Agreement which, by its nature, is intended to survive will stay in effect following any termination or expiration of the Agreement. This is the entire agreement between the parties, and it supersedes all other oral or written agreements or policies relating the Services. If there is a conflict between the Agreement, and any documents referenced in the Agreement, the following order applies: an addendum signed by both parties, the Agreement, the Order Form and the SLA. Any pre-printed terms that appear on purchase orders that Customer submits are void.

k. Notices. Any notice required or permitted to be given hereunder will be given in writing to the party at the address specified in this Agreement by personal delivery, certified mail, return receipt requested, overnight delivery by a nationally recognized carrier or by email. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer in its account. Notices to Redox should copy [email protected]. Notice will be treated as given on receipt as verified by written or automated receipt or by electronic log (as applicable).

14. Definitions

a. Affiliate is an entity or person that controls a party, is controlled by a party, or under common control with a party, such as a subsidiary, parent company, or employee. The term “control” means more than 50% ownership.

b. Administrative Console is the cloud-based customer portal that is part of the Platform.

c. Applicable Laws are federal, national, or state laws, rules or regulations and any judicial or administrative judgements or decrees that apply to the Services.

d. Beta Offerings are services that are identified as alpha, beta, non-GA, limited release, developer preview, or any such similarly designated services, products, or features offered by Redox.

e. Change of Control is (i) an acquisition of a party by reorganization, merger or consolidation but excluding any merger effected exclusively for the purpose of changing the domicile of the Company, or (ii) a sale of all or substantially all of the assets of a party.

f. Confidential Information is any information that one party (or an Affiliate) discloses to the other party under this Agreement, and which is marked as confidential or would normally under the circumstances be considered confidential or proprietary information. It does not include information that is independently developed by the receiving party, is rightfully given to the receiving party by a third party without confidentiality obligations, or becomes public through no fault of the receiving party. Subject to the preceding sentence, Customer Content is considered Customer’s Confidential Information.

g. Customer Product is any software product, application or service that Customer develops, owns or operates that interfaces with or integrates into the Services.

h. Customer Content is all information, software, and data, including files, messages, programs, sound, graphics, images, or applets or servlets that Customer or End Users create, install, upload or transfer to or using the Services.

i. Developer Tools are the Redox proprietary software development toolkits that can be used when developing against the Platform and the Redox API.

j. Documentation is the instruction manuals and guides, code samples, manuals, guides, on-line help files and technical documentation made available as part of the Services, and as may be updated from time to time.

k. Effective Date is the date of the last signature to this Agreement.

l. End User means an individual or entity that accesses or uses the Customer Product or Customer Data or otherwise accesses the Services on behalf of Customer.

m. HIPAA is the Health Insurance Portability and Accountability Act of 1996, as amended.

n. Indemnified Liabilities are (i) settlement amounts approved by the indemnifying party; (ii) damages and costs finally awarded against the indemnified party and its Affiliates by a court of competent jurisdiction, and (iii) reasonable attorney’s fees in connection with the Third Party Claim.

o. Intellectual Property Rights are current and future worldwide rights under patent, copyright, trade secret, trademark, and moral rights laws, and other similar rights.

p. Malicious Code are viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

q. Order Form is the form signed by both parties that is placed to order Services under this Agreement.

r. Platform is the cloud based platform through which the Services are delivered and includes the Dashboard, Developer Tools and the Redox API.

s. Protected Health Information (“PHI”) has the meaning as set forth in HIPPA.

t. Redox API the proprietary application programming interface that can be used to interface with the Services.

u. SLA is the service level agreement that can be found at Service Level Agreement, which may be updated from time to time in accordance with the terms of this Agreement.

v. Services means all of the services described in the Order Form and includes use of the Platform.

w. Taxes are any taxes, levies, duties or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes, assessable by any jurisdiction.

x. Third Party Claim is a claim, demand, suit, action or proceeding made or brought against a party by a third party.

Appendix 1

Downstream Subcontractor

Business Associate Provisions

The parties agree that the Services involve the Protected Health Information of one or more Covered Entities (“PHI”) and this Appendix addresses how PHI will be handled in connection with the Services. Any capitalized terms used but not defined in this Appendix will have the meaning set forth in the Agreement or HIPAA, as applicable.

1. General

a. Effect. the terms and provisions of this Agreement will supersede any conflicting or inconsistent terms and provisions of the Agreement to the extent of such conflict or inconsistency.

b. HIPAA Amendments. Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this Appendix, effective on the later of the effective date of this Appendix or such subsequent date as may be specified by HIPAA.

c. No Third Party Beneficiaries. The parties have not and do not intend to create by this Appendix any third party rights, including third party rights for Covered Entities’ patients or insureds.

2. Obligations of Redox

a. Use and Disclosure of PHI. Redox may use and disclose PHI as permitted or required under this Appendix or the Agreement, or as Required by Law, but will not otherwise use or disclose any PHI. Redox will not use or disclose PHI in any manner that would constitute a violation of HIPAA. To the extent Redox carries out any of Business Associate’s or the Covered Entities’ obligations under the HIPAA privacy standards, Redox will comply with the requirements of the HIPAA privacy standards that apply to Customer or the Covered Entities (as applicable) in the performance of such obligations. Without limiting the generality of the foregoing, Redox is permitted to use or disclose PHI as set forth below:

i. Redox may use PHI internally for Redox’s proper management and administrative services or to carry out its legal responsibilities;

ii. Redox may disclose PHI to a third party for the Redox’s proper management and administration, provided that the disclosure is required by Applicable Law or Redox obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as required by Applicable Law or for the purpose for which it was disclosed to the third party and (3) notify Customer of any instances of which the third party is aware in which the confidentiality of the PHI has been breached;

iii. Redox may use PHI to provide Data Aggregation services relating to the Health Care Operations of Customer or the Covered Entities if required or permitted under the Agreement;

iv. Redox may use PHI to create Limited Data and to use and disclose such Limited Data Sets for Research, public health, or Health Care Operations as permitted by 45 C.F.R. § 164.514(e)(3) and (4);

v. Redox may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Redox may disclose de-identified health information for any purpose permitted by Applicable Law.

b. Safeguards. Redox will use appropriate physical, technical, and administrative safeguards to (i) prevent the use or disclosure of PHI other than as permitted or required by this Appendix, and (ii) that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI that Redox creates, receives, maintains or transmits on behalf of Customer or the Covered Entities. Redox will comply with the HIPAA Security Rule with respect to Electronic PHI.

c. Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Redox will only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

d. Mitigation. Redox will take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Redox) of a use or disclosure of PHI by Redox in violation of this Agreement.

e. Subcontractors. Redox will enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under Applicable Law) that creates, receives, maintains or transmits PHI on behalf of Redox. Redox will ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Redox under this Appendix.

f. Reporting Requirements.

i. If Redox becomes aware of a use or disclosure of PHI in violation of this Agreement by Redox or a third party to which Redox disclosed PHI, Redox will report the use or disclosure to Customer within ten (10) business days of discovery.

ii. Redox will report any Security Incident involving Electronic PHI that is not an Unsuccessful Security Incident (as defined below) of which Redox becomes aware within five (5) business says of discovery. Redox hereby notifies Customer of pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, interception of encrypted information where the encryption key is not compromised, and other Unsuccessful Security Incidents. Redox will provide additional information about Unsuccessful Security Incidents on a reasonable basis, if requested by Customer. If the HIPAA security regulations are amended to remove the requirement to report Unsuccessful Security Incidents, the requirement hereunder to report Unsuccessful Security Incidents will no longer apply as of the effective date of the amendment. “Unsuccessful Security Incident” means a Security Incident that does not involve unauthorized access, use, disclosure, modification or destruction of Electronic PHI or interference with an Information System in a manner that poses a material threat to the confidentiality, integrity, or availability of the Electronic PHI.

iii. Redox will, following the discovery of a Breach of PHI, notify Customer of the Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than five (5) business days after discovery.

g. Access to PHI. Within fifteen (15) business days of a request by Customer for access to PHI about an Individual contained in any Designated Record Set maintained by Redox, Redox will make available to Customer such PHI for so long as Redox maintains such information in the Designated Record Set. If Redox receives a request for access to PHI directly from an Individual, Redox will forward such request to Customer within ten business days. Customer will have the sole responsibility to make decisions regarding whether to approve a request for access to PHI.

h. Availability of PHI for Amendment. Within fifteen (15) business days of receipt of a request from Customer for the amendment of an Individual’s PHI contained in any Designated Record Set maintained by Redox, Redox will provide such information to Customer for amendment and incorporate any such amendments in the PHI (for so long as Redox maintains such information in the Designated Record Set) as required by 45 C.F.R. §164.526. If Redox receives a request for amendment to PHI directly from an Individual, Redox will forward such request to Customer within 10 business days. Customer will have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.

i. Accounting of Disclosures. Within fifteen (15) business days of notice by Customer to Redox that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Redox will make available to Customer such information as is in Redox’s possession and is required for Customer and Covered Entity to make the accounting required by 45 C.F.R. §164.528. If Redox receives a request for an accounting directly from an Individual, Redox will forward such request to Customer within ten business days. Customer will have the sole responsibility to provide an accounting of disclosures to Covered Entity and the Individual.

j. Availability of Books and Records. Redox will make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Redox on behalf of, Customer or the Covered Entities available to the Secretary for purposes of determining Customer’s compliance with HIPAA.

3. Obligations of Customer

a. Permissible Requests. Customer will not request Redox to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Customer (except as expressly provided in this Appendix).

b. Minimum Necessary PHI. When Customer discloses PHI to Redox, Customer will provide the minimum amount of PHI necessary for the accomplishment of Redox’s purpose.

c. Permissions; Restrictions. Customer warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other Applicable Law for the disclosure of PHI to Redox. Customer will notify Redox of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Redox’s use or disclosure of PHI. Customer will not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Redox’s use or disclosure of PHI under the Agreement or this Agreement unless such restriction is Required By Law or Redox grants its written consent, which consent will not be unreasonably withheld.

d. Notice of Privacy Practices. Customer will notify Redox of any limitation in a Covered Entity’s notice of privacy practices that may have the effect of limiting Redox’s use or disclosure of PHI under the Agreement or this Agreement.

4. Term and Termination

a. Term. The term of this Appendix will commence on the Effective Date of the Agreement and expire when Redox has returned or destroyed all PHI.

b. Termination Upon Termination or Expiration of the Agreement. This Appendix will terminate immediately upon termination or expiration of the Agreement for any reason.

c. Return or Destruction of PHI upon Termination. Upon expiration or earlier termination of the Agreement or this Appendix, Redox will either return or destroy all PHI received from or on behalf of Customer or the Covered Entities or created by Redox on behalf of Customer or the Covered Entities that Redox still maintains in any form. Notwithstanding the foregoing, to the extent that Redox determines that it is not feasible to return or destroy such PHI, the terms and provisions of this Agreement will survive termination and such PHI will be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.