Overjet CSPA

This Custodian Service Provider Agreement (“CSPA”), forms part of the agreement between Overjet, Inc. (“Custodian Service Provider”) and you (“Customer” or “Covered Entity”) and shall be effective as of the effective date of the Services Agreement (“Effective Date”).

Recitals

WHEREAS, reference is made to that certain Master Services Agreement between Covered Entity and Custodian Service Provider as may be amended from time to time (the “Services Agreement”), pursuant to which Custodian Service Provider performs certain activities or functions on Covered Entity’s behalf which may involve Custodian Service Provider’s access to Personal Health Information, as hereinafter defined;

WHEREAS, Covered Entity and Custodian Service Provider desire to protect the privacy and provide for the security of such Covered Entity’s Personal Health Information as required by applicable law, including but not limited to the Personal Health Information Protection Act (Ontario) or analogous legislation in other provinces or territories (collectively, “PHIPA”); and

WHEREAS, in order for Covered Entity and Custodian Service Provider to comply with PHIPA, Custodian Service Provider has agreed to certain provisions designed to preserve the privacy and security of Personal Health Information obtained by Custodian Service Provider in the course of providing services to or on behalf of Covered Entity.

Agreement

NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1) Compliance with Law. In providing services under the Services Agreement and hereunder, Custodian Service Provider shall ensure that it acts in compliance with all applicable federal and provincial laws and regulations including, without limitation, PHIPA as in effect or as amended.

2) Definitions. The following terms shall have the meaning set forth below. Capitalized terms used in this CSPA and not otherwise defined shall have the meanings ascribed to them in PHIPA or the regulations to PHIPA as applicable.

(i) “Covered Entity PHI” shall mean PHI created or received by Custodian Service Provider from or on behalf of Covered Entity, including PHI created or received by Covered Entity from or on behalf of its customers.

(ii) “Data Aggregation” shall mean, with respect to personal health information created or received by Custodian Service Provider in its capacity as the Custodian Service Provider of Covered Entity, the combining of such personal health information by the Custodian Service Provider with other personal health information received by the Custodian Service Provider in its capacity as a service provider of another covered entity, to create anonymized information that can be used for data analyses.

(iii) “Individual” shall have the same meaning as the term “individual” in Section 2 of PHIPA.

(iv) “Personal Health Information” or “PHI” shall have the same meaning as the term “personal health information” in Section 4 of PHIPA.

(v) “Security Incident” shall mean an event that results in unauthorized access, use, disclosure, or destruction of PHI.

3) Permitted Uses and Disclosures.

(i) The Custodian Service Provider agrees and warrants that it will use or disclose Covered Entity PHI only as permitted by this CSPA or as required by applicable law.

(ii) The Custodian Service Provider agrees and warrants that it will use PHI solely for the following purposes:

  1. To fulfill its obligations under the Services Agreement and this CSPA;

  2. To report violations of law to appropriate federal and state authorities, in accordance with 45 C.F.R. § 164.502(j)(1);

  3. For Data Aggregation purposes, in accordance with 45 C.F.R. § 164.504(e)(2)(i)(B);

  4. On a de-identified basis, for any purpose, in accordance with 45 C.F.R. § 164.502(d).

(iii) The Custodian Service Provider shall not use or disclose Covered Entity PHI in any manner that would violate this CSPA if used or disclosed by Covered Entity.

(iv) The Custodian Service Provider shall ensure that its employees, representatives, agents, and contractors agree in writing to comply with the similar restrictions on the use, disclosure, and security of PHI and Personal Information as outlined herein, and specifically shall not use or disclose Covered Entity PHI in any manner that would violate this CSPA.

(v) To the extent required by PHIPA’s “minimum necessary” requirements, the Custodian Service Provider shall request, use, and disclose only the minimum amount of Covered Entity PHI necessary to accomplish the intended purpose. To the extent practicable, it shall not request, use, or disclose any information that can identify an individual, either alone or in combination with other readily available information.

(vi) The Custodian Service Provider agrees and warrants that it shall not use or disclose PHI in a manner that would breach this CSPA. It further agrees not to use or disclose PHI for fundraising or marketing purposes, nor receive any remuneration directly or indirectly in exchange for PHI. This prohibition does not affect payment to the Custodian Service Provider for services provided under the Services Agreement with the Covered Entity.

4) Safeguarding Covered Entity PHI. 

The Custodian Service Provider agrees to implement appropriate safeguards to protect Covered Entity PHI in accordance with this CSPA. The Custodian Service Provider will establish administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Covered Entity PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. These safeguards will include, but are not limited to, those required by applicable law. The Custodian Service Provider shall ensure that:

  • Only employees and agents with a business need to know Covered Entity PHI are granted access;

  • Access is limited to the minimum amount necessary to achieve the intended purpose;

  • All employees and agents handling Covered Entity PHI are trained on maintaining its confidentiality and on the requirements of this CSPA;

  • All Covered Entity PHI is stored and transmitted in a secure environment to prevent inadvertent disclosure.

5) Security Incident Mitigation. The Custodian Service Provider shall, to the extent reasonably practicable, mitigate any materially harmful effects resulting from a Security Incident that leads to unauthorized use or disclosure of Covered Entity PHI in violation of this CSPA or PHIPA.

6) Reporting Requirements.

(i) The Custodian Service Provider shall, without unreasonable delay, but in no event later than five (5) business days after becoming aware of any unauthorized acquisition, access, use, or disclosure of Covered Entity PHI in violation of this CSPA by the Custodian Service Provider, its employees, agents, contractors, or by a third party to whom Custodian Service Provider has disclosed Covered Entity PHI (each, an “Unauthorized Use or Disclosure”), report such Unauthorized Use or Disclosure, in writing, to the Covered Entity.

(ii) The Custodian Service Provider shall, without unreasonable delay but in no event later than five (5) business days after becoming aware of any Security Incident, report it, in writing, to the Covered Entity.

7) Subcontractors. The Custodian Service Provider shall enter into a written agreement with each subcontractor that creates, receives, maintains, or transmits Covered Entity’s PHI on behalf of the Custodian Service Provider, addressing all of the requirements of this CSPA. The Custodian Service Provider shall ensure that each such written agreement requires the subcontractor to comply with restrictions and conditions that are at least as restrictive as those that apply to the Custodian Service Provider under this CSPA.

8) Audit and Inspection of Records. The Custodian Service Provider agrees and warrants that it shall make its internal practices, books, and records relating to the use and disclosure of Covered Entity PHI available to any entity with regulatory authority over the Covered Entity. The Custodian Service Provider shall cooperate with such entity in connection with any investigation or review to assess compliance with applicable law, and shall retain all such records and submit any required compliance reports as mandated by such entity and/or applicable law.

9) Accounting of Disclosures. The Custodian Service Provider shall document disclosures of Covered Entity PHI and provide all necessary information for the Covered Entity to respond to an Individual’s request for an accounting of such disclosures. The Custodian Service Provider is not required to correspond directly with the Individual. At a minimum, the Custodian Service Provider shall provide the following for each disclosure: (a) the date of the disclosure; (b) the name and, if known, the address of the recipient; (c) a brief description of the PHI disclosed; and (d) the purpose of the disclosure. The Custodian Service Provider agrees to provide this information for disclosures made within six (6) years prior to the request.

10) Requests for Covered Entity PHI. The Custodian Service Provider agrees to promptly notify the Covered Entity upon receiving any request, subpoena, or judicial or administrative order for Covered Entity PHI. If the Covered Entity decides to assume responsibility for challenging the validity of such request, the Custodian Service Provider agrees to cooperate fully with the Covered Entity in any such challenge. The Covered Entity agrees to cover all reasonable costs incurred by the Custodian Service Provider in connection with the challenge.

11) Obligations of Covered Entity.

(i) The Covered Entity shall promptly notify the Custodian Service Provider of any changes to, or revocation of, an Individual’s permission to use or disclose Covered Entity PHI, to the extent such changes may impact the Custodian Service Provider’s use or disclosure of Covered Entity PHI.

(ii) The Covered Entity shall promptly notify the Custodian Service Provider of any restrictions on the use or disclosure of Covered Entity PHI that the Covered Entity has agreed to, to the extent such restrictions may impact the Custodian Service Provider’s use or disclosure of Covered Entity PHI.

(iii) The Covered Entity shall not request the Custodian Service Provider to use or disclose Covered Entity PHI in any manner that would violate this CSPA or any applicable law.

12) Term and Termination.

(i) This CSPA shall commence as of the Effective Date, and shall continue in effect: (a) until all Covered Entity PHI provided by Covered Entity to Custodian Service Provider, or created or received by Custodian Service Provider on behalf of Covered Entity, is destroyed or returned to Covered Entity; or (b) the Services Agreement is terminated.

(ii) In the event the Custodian Service Provider commits a material breach of the terms of this CSPA, the Covered Entity may either: (a) provide the Custodian Service Provider with thirty (30) days to cure the breach, and if the breach is not cured within that period, the Covered Entity shall have the right to immediately terminate this CSPA and the Services Agreement; or (b) immediately terminate this CSPA and the Services Agreement if the breach cannot be cured, as determined by the Covered Entity in its reasonable discretion. Termination under this Section shall be without prejudice to any other rights and remedies the Covered Entity may have for the breach of this CSPA.

13) Effect of Termination.

(i) Upon the expiration of this CSPA or in the event of the termination of this CSPA for any reason, each party shall be released from all obligations and liabilities to the other under this CSPA and the Services Agreement occurring or arising after the date of such event, except that the expiration or termination of this CSPA shall not relieve Custodian Service Provider of Custodian Service Provider’s obligations under this Section, nor shall it relieve Custodian Service Provider or Covered Entity from any liability arising from any breach of this CSPA. The Services Agreement shall also terminate concurrently with the termination or expiration of this CSPA, subject to the survival provisions of that Services Agreement.

(ii) Promptly upon expiration or termination of this CSPA for any reason, Custodian Service Provider shall return, or destroy, all Covered Entity PHI in its possession without retaining copies thereof except for such copies as may be required by applicable laws, rules, regulations or legal process.

(iii) In the event that the Custodian Service Provider determines that returning or destroying the Covered Entity PHI is infeasible, the Custodian Service Provider shall promptly provide the Covered Entity with written notification detailing the conditions that make return or destruction infeasible. The Custodian Service Provider agrees to continue extending the protections of this CSPA to such Covered Entity PHI and to limit further uses and disclosures of the PHI to only those purposes that prevent its return or destruction, for as long as the Custodian Service Provider retains such Covered Entity PHI.

(iv) The parties agree that radiological images stored on the Custodian Service Provider’s server may be retained indefinitely, provided they do not contain Covered Entity PHI (the “Retained Confidential Information”). The Custodian Service Provider shall ensure that such Retained Confidential Information remains protected in accordance with the terms and conditions of the Services Agreement for as long as it is retained by the Custodian Service Provider.

14) Relationship of the Parties. It is expressly understood that the Custodian Service Provider, and its employees and agents, if any, are not agents or employees of the Covered Entity and have no authority whatsoever to bind the Covered Entity, either by contract or otherwise.

15) Third Party Beneficiaries. Nothing expressed or implied in this CSPA is intended to confer, not shall anything herein confer, upon any person or entity other than the parties hereto any rights, remedies, obligations or liabilities whatsoever.

16) Survival. Notwithstanding anything in this CSPA to the contrary, the provisions of Section 13 shall survive the termination of this CSPA and any existing agreement, including the Services Agreement, between Covered Entity and Custodian Service Provider.

17) Notice. Any notice to the other party pursuant to this CSPA shall be provided in accordance with the notices provision set forth in the Services Agreement.

18) Amendment. The Parties agree to take all necessary actions to amend this CSPA as required for the Covered Entity to comply with PHIPA or any other applicable laws. However, any regulations applicable to the Custodian Service Provider or to the Covered Entity with respect to the Custodian Service Provider, promulgated after the Effective Date of this CSPA, shall be deemed incorporated into this CSPA until the Parties enter into an appropriate amendment.

19) Interpretation. Any ambiguity in this CSPA shall be resolved in favor of a meaning that permits Covered Entity to comply with PHIPA or other applicable law.

20) Effect. The terms and provisions of this CSPA shall supersede any other conflicting or inconsistent terms in the Services Agreement with respect to Covered Entity PHI. All other terms of the Services Agreement between Covered Entity and Custodian Service Provider, including all limitations and disclaimers of liability, shall remain in full force and effect and shall apply to this CSPA. This CSPA is expressly incorporated into the Service Agreement by reference.

21) English Language. The Parties confirm that it is their wish that this Agreement, as well as all other documents relating hereto, including all notices, be drawn up in the English language only. Les Parties aux présentes confirment leur volonté que cette convention, de même que tous les documents, y compris tout avis, qui s’y rattachent, soient rédigés en langue anglais.