HITRUST CENTRAL SUBSCRIPTION AGREEMENT

including Common Security Framework License

THIS AGREEMENT (“Agreement”) is made by and between HITRUST SERVICES CORPORATION (“HITRUST”), a Delaware corporation with its principal place of business in Frisco, Texas, for itself and as agent for HEALTH INFORMATION TRUST ALLIANCE; and the Subscriber identified below (collectively, and together with any Users as identified below, the “Parties”).   As used in this Agreement, the term “Subscriber” shall include the entity identified to HITRUST as the “Subscriber,” together with its Permitted Affiliates and Registered Users as defined below.

In consideration of the following mutual covenants and commitments, the receipt and sufficiency of which are hereby acknowledged and confessed, the Parties hereby agree as follows:

1. Grant of License
Subject strictly to the terms and conditions of this Agreement, HITRUST hereby grants to Subscriber and Subscriber hereby accepts a personal, nonexclusive, nontransferable, and limited license (the “License”) to use the following:

(a) CSF.  The Common Security Framework, as may be amended from time to time (the “CSF™”), during the Term of this Agreement;

(b) Professional Level Access to HITRUST Central™ (“Professional”),  beginning on the Effective Date, and thereafter for the remainder of the Term of this Agreement, provided Subscriber is in compliance with the terms and conditions of this Agreement, elects to continue with Professional access; and pays the corresponding subscription fee; and

2. Delivery
Upon acceptance of this Agreement by HITRUST, and while Subscriber is in compliance with its obligations hereunder, HITRUST shall make available to Subscriber access to CSF™ and HITRUST Central™ at the Professional and/or Standard level, as applicable, for delivery by the Internet from the server(s) on which they are hosted. Access is unauthorized to any but Registered Users. HITRUST will use commercially reasonable efforts to make HITRUST Central™ available at all times, subject however to interruption for reasonable periods of time for maintenance, upgrade and management, and Subscriber acknowledges that it may also be subject to interruption, delay, reduced graphics quality, or other reasons not subject to HITRUST’s control such as events affecting Internet service providers or data hosting services.

3. Use of License
The License granted pursuant to this Agreement authorizes Subscriber to engage in only the following activities:

(a) For Internal, Limited Use Only. Subscriber may use the CSF solely for educational and information-sharing purposes to fulfill its own internal business needs.

(b) Limited Copies. Subscriber may make one (1) electronic copy of the CSF and/or content of HITRUST Central™ on a Subscriber computer, and a reasonable number of paper copies for each Registered User, provided that it reproduces HITRUST’s copyright notice and proprietary legend on all copies, and takes reasonable steps to protect such copies from further distribution.

(c) Permitted Affiliates Included.  “Permitted Affiliates” shall be authorized to use the CSF under and subject strictly to the terms and conditions of this Agreement.  Permitted Affiliates shall include Registered Users as defined herein, and entities which are under common ownership or control with Subscriber and are specifically identified to HITRUST.  Subscriber shall be fully responsible to HITRUST for any breach of this Agreement by its Permitted Affiliates, or any of its or their agents, representatives, employees, and any other person or entity to which Subscriber or any of its Permitted Affiliates gives access.

(d) Users to be Registered. Subscriber may sponsor one or more individuals to access HITRUST Central™ and use the CSF under Subscriber’s authority (“Registered Users”).  Registered Users may be employees or agents of Subscriber, but must need to use the CSF in order to provide internal services or perform internal functions for the Subscriber, be accessible through the Subscriber’s standard email convention, and shall be strictly subject together with Subscriber to the terms and conditions of this License.  Subscriber shall maintain a list of all current and past Registered Users at all times and shall identify its Registered Users to HITRUST.  Subscriber shall be solely responsible for insuring that only Registered Users use the CSF under Subscriber’s authority, and for promptly notifying HITRUST when s/he is no longer authorized by Subscriber.  Registered Users will be responsible for insuring that no one other than the Registered User gains access with his/her user name and/or password.  HITRUST may terminate a Registered User’s access at any time upon misuse of HITRUST Central™ in breach of the Terms of Use below.  Upon termination of a Registered User’s authorization under this License for any reason, Subscriber shall take steps to prevent the individual’s further electronic access to the CSF or HITRUST Central™, and remove any such electronic files or paper copies of the CSF or HITRUST Central™ from his or her possession, custody or control.

(e) Updates. HITRUST may, in its sole discretion, provide updates, enhancements, new versions and/or supplements of the CSF (“Updates”) to Subscriber.  Updates shall be deemed to be included in the CSF and therefore governed by this License, unless HITRUST expressly notifies Subscriber that the Update or Updates are provided under other licensing terms.  Subscriber acknowledges that such Updates may reflect new or different requirements for certification, and therefore agrees to monitor and be familiar with Updates as they occur.

(f) Terms of Use; Changes.  HITRUST hereby incorporates by reference the CSF™ and HITRUST Central™ Terms of Use found at https://www.hitrustcentral.net/termsAndConditions.aspx (Terms of Use”), provided that in event of any inconsistency between the Terms of Use and any provision of this Agreement, the provision of this Agreement shall control..  Subscriber agrees to comply with the Terms of Use at all times.  HITRUST may, in its sole discretion, change the Terms of Use from time to time, to take effect immediately upon notice.  Ordinarily HITRUST will endeavor to make a reasonable effort to provide email notice of such changes, but such changes will take effect upon their posting on the HITRUST website regardless of whether email or other actual notice has been given.

(g) Content Contribution.  Registered Users may upload or post truthful, non-defamatory content they create to HITRUST Central™, provided that (i) such content shall not be considered personally identifiable information for purposes of the HITRUST Online Services Privacy Policy; (ii) HITRUST accepts no obligation to review content at any time, but may remove it at any time in its sole discretion; (iii) all such contributions become the sole and exclusive property of HITRUST, including but not limited to all rights in and to copyright and moral rights (and including without limitation all rights to create derivative works, recover for infringement, register and renew in all countries, languages and media now known or hereafter developed); (iv) the confidential or proprietary nature of information uploaded or posted shall be deemed waived; (v) HITRUST shall not be deemed the publisher of any such contributions, will not be attributed to HITRUST, and will be attributed only to the Registered User who posted them; and (vi) a user who contributes content to HITRUST Central™ , and the Subscriber sponsoring the user, shall be liable jointly and severally to indemnify, hold harmless and defend HITRUST, its officers and agents, from and against any claims, losses or liabilities arising from or relating to any violation of this section by the user or Subscriber, or other liability arising from or pertaining to the user’s contribution of the content.

4. Restrictions of Use.
Any use of the CSF™ or HITRUST Central™ not expressly permitted by this Agreement is prohibited, including but not limited to the following:

(a) Use for Third Parties. Using part or all of the CSF™ or HITRUST Central™to provide analyses, assessments, or services or products of any kind to any person or entity;

(b) Derivative Works. Creating any Derivative Work of the CSF™ or HITRUST Central™for any purpose not permitted hereunder without HITRUST’s express prior consent;

(c) Unauthorized Access. Accessing unlicensed components of CSF, or HITRUST Central™ or related services without express authorization;

(d) Reverse Engineering. Disassembling, decompiling or otherwise reverse engineering any part of the CSF or HITRUST Central™, or removing, modifying or obscuring any copyright, trade secret or other proprietary legend;

(e) Unauthorized Copying. Copying all or any part of the CSF or HITRUST Central™except for the purposes and to the extent authorized herein; or

(f) Assignments. Assigning this Agreement, or sublicensing, distributing, or otherwise transferring any part of the CSF or HITRUST Central™except in the connection with the sale or transfer of all or substantially all of the Subscriber’s stock or assets.

(g) Commercial Uses.  For any commercial or personal use, including but not limited to “scraping,” surveys, contests, pyramid schemes, chain letters, junk mail, spamming or unsolicited messages (commercial or otherwise), advertising, or offering to sell or buy goods or services for any personal or business purposes.

(h) Use Contrary to Law.  Use in any way which violates any applicable law or regulation, including but not limited to hacking, password cracking, “spoofing” or other unauthorized access; attempting to obtain any materials or information through any means not intentionally made available through HITRUST Central™; use of viruses, Trojan horses, worms, spyware, or other malware; .use to defame, stalk, threaten or otherwise violate the legal rights of others (including rights of privacy, publicity, copyright or otherwise); transmission of materials in violation of intellectual property laws; or false or misleading use of proprietary designations or labels.

(i) Use Injurious or Obstructive to Others.  Use in any way that could damage, disable, overburden, or impair or interfere with any other party’s use of the services or access to HITRUST Central™.

5. License Fees and Payments.

(a) Fees.  Fees for subscriptions and for other products or services will be charged according to HITRUST’s current terms and prices, which are subject to change without notice.   No refund or credit will be given in event of early termination.

(b) Payment Terms; Taxes. All amounts which may be due and payable to HITRUST and which are not paid in full when due will bear interest at the rate of one percent (1%) per month simple interest until paid in full, or the highest amount allowed by law, whichever is less.  Fees will not include taxes now or hereafter levied, all of  which shall be for Subscriber’s account.  Subscriber agrees to indemnify HITRUST and hold it harmless from any taxes or related costs, interests or penalties paid or payable by Subscriber other than taxes related to HITRUST’s income. 

6. HITRUST Ownership of Intellectual Property

(a) Sole and Exclusive Ownership by HITRUST.  Subscriber acknowledges HITRUST’s sole and exclusive ownership, right and title in and to the CSF and all documentation related thereto, together with all copies, and all changes, modifications, deletions, translations, derivations or additions thereto, including but not limited to any text, images, photographs, animations, video and audio incorporated into them.  The Parties further agree that the CSF constitutes copyrighted and/or proprietary information of HITRUST which is protected by copyright, and that any and all rights, inventions and copyrights arising out of or related to the CSF or related documentation, and all rights to license, market or otherwise develop or dispose of the CSF or related documentation, are and shall be the exclusive property of HITRUST.

(b)  HITRUST Trade Secrets.  The Parties further agree that the CSF includes valuable, confidential information, compilations, methods, techniques, procedures and processes not generally known or readily ascertainable by proper means, which can only be obtained from HITRUST. HITRUST has implemented reasonable protections for the CSF, including the terms of this License, to prevent their unauthorized disclosure or use.  To further those measures, Subscriber agrees that it will take all measures as may be reasonably requested by Subscriber, and in no event less than reasonable measures, to ensure that the CSF and related documentation are held in confidence and are not used or disclosed except as permitted under this Agreement or with HITRUST’s express prior consent.  This obligation will survive the termination or expiration of this Agreement or the Parties’ relationship for any reason.

(c) Exclusions.  These prohibitions shall not apply to information, compilations, methods, techniques, procedures or processes included in the CSF that are or have become generally known in the industry through no fault of Subscriber; or which Subscriber can show from written records were (i) known to it before entering this License, (ii) independently developed by it without use of or reference to the CSF, or (iii) lawfully obtained by it from a third party not in breach of any obligation to HITRUST.  They will also not apply to residual knowledge retained in intangible, non-electronic form by Registered Users due to their access to the CSF, such as general ideas, concepts, and know-how.

(d) Certification; Injunctive Relief.  Upon HITRUST’s request, an officer of Subscriber shall certify in writing that it is in full compliance with the terms and conditions of this License.  Subscriber hereby acknowledges that any violation of this License by it or an affiliated person or entity would cause irreparable injury to HITRUST, and, as a result, HITRUST shall be entitled to seek any injunctive relief or other rights or remedies to which HITRUST is or may be entitled to under law to prevent or mitigate the effects of such violation.

7. Defense of Infringement and Misappropriation Claims.

(a)  Notice and Cure.  If HITRUST receives notice that any component of the CSF may infringe any valid U.S. copyright, U.S. trademark or U.S. patent or constitute a misappropriation of a valid trade secret under the law of any state, HITRUST may, at its sole discretion: (i) procure for Subscriber the right to continue using the potentially or allegedly infringing or misappropriated component, or (ii) modify the CSF to provide for substitute materially equivalent functioning or a materially functional equivalent which does not infringe and/or is not misappropriated.  If HITRUST elects to provide substitute equivalent functioning or a functional equivalent, upon notice Subscriber shall stop using the allegedly infringing or misappropriated component and shall cooperate with HITRUST in implementing use of the functional substitute.        

(b) Defense.  HITRUST will defend Subscriber against any claims by an unaffiliated third party that any component of the CSF infringes any valid U.S. copyright, U.S. trademark or U.S. patent or misappropriates any trade secret valid under the law of any applicable state, provided Subscriber gives HITRUST prompt written notice of such a claim with all information known to it, gives HITRUST sole control over its defense or settlement, and provides HITRUST with complete and timely assistance and cooperation in such defense.

(c) Limitation of Duty to Defend.  HITRUST shall have no obligation to defend Subscriber against any claim (i) that is based upon an allegedly infringing use or use of misappropriated intellectual property after HITRUST has notified Subscriber of a functional substitute as provided above; (ii) that results from any use or disclosure of the CSF, in whole or in part, in breach of any term of this License; (iii) for any claim based in whole or in part on Subscriber’s acts or omissions; or (iv) use by Subscriber in any manner, purpose or combination not expressly authorized by HITRUST.

d) Exclusive Remedy.  The rights and remedies stated in this Section state HITRUST’s entire liability and the exclusive remedy of Subscriber with respect to any claim of infringement or misappropriation of the intellectual property rights of any third party, whether arising under statutory or common law or otherwise.

8. Representations and Warranties.

(a) Subscriber hereby represents and warrants to HITRUST that Subscriber is a healthcare organization or otherwise involved in the responsible handling of heathcare information; that it is fully authorized to enter into this Agreement; and that it will comply in all respects with its obligations hereunder.         

(b) THE CSF AND ACCESS TO HITRUST CENTRAL™ ARE PROVIDED“AS IS,” WITH ALL FAULTS.  HITRUST, ITS AGENTS AND ITS SUPPLIERS HEREBY DISCLAIM ALL EXPRESS, IMPLIED OR STATUTORY WARRANTIES, DUTIES AND CONDITIONS, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, QUIET POSSESSION, SECURITY, CONFORMITY TO DESCRIPTION, NON-INFRINGEMENT, RELIABILITY, ACCURACY OR COMPLETENESS, OR RESULTS.  THE ENTIRE RISK AS TO THE QUALITY OR ARISING OUT OF THE USE OF THE CSF OR HITRUST CENTRAL™ AT ALL TIMES REMAINS WITH THE SUBSCRIBER, ITS PERMITTED AFFILIATES AND ITS REGISTERED USERS.

9. Exclusion of Incidental, Consequential and Certain Other Damages.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL HITRUST OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DATA OR INFORMATION, BUSINESS INTERRUPTION, PERSONAL INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, NEGLIGENCE, OR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE CSF or HITRUST CENTRAL™, THE PROVISION OF OR FAILURE TO PROVIDE THE CSF OR HITRUST CENTRAL™, OR OTHERWISE ARISING OUT OF THE USE OF THE CSF OR HITRUST CENTRAL™, OR OTHERWISE IN CONNECTION WITH THIS AGREEMENT EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF HITRUST OR ANY AGENT OR SUPPLIER, AND EVEN IF HITRUST OR ANY AGENT OR SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10. Limitation of Liability and Remedies.

(a) UNDER NO CIRCUMSTANCES, AND UNDER NO THEORY, SHALL THE LIABILITY OF HITRUST OR ANY OF ITS AFFILIATES, SUPPLIERS, OFFICERS, AGENTS, EMPLOYEES, OR REPRESENTATIVES TO SUBSCRIBER OR ANYONE IN PRIVITY WITH SUBSCRIBER EXCEED THE TOTAL AMOUNT ACTUALLY RECEIVED BY HITRUST AS FEES UNDER THIS AGREEMENT.         

(b) THESE DISCLAIMERS AND LIMITATIONS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.

11. Indemnification.
Subscriber hereby agrees to defend, indemnify and hold harmless HITRUST, its officers, directors, shareholders, employees and agents at Subscriber’s own expense from and against any and all suits, claims, actions, losses, costs, penalties and damages of whatsoever kind in nature, including settlement amounts, expert witness fees and attorney’s fees and costs, arising out of or in connection with or incident to the use of CSF, HITRUST Central™ or any related good or service by Subscriber, its Permitted Affiliates, its Registered Users or any other person or entity affiliated with it, or any breach of this Agreement by Subscriber or any of the above-referenced persons or entities.

12. Term and Termination

(a)  Term.  The term of this Agreement (“Term”) shall begin on the date accepted by Subscriber and shall expire one (1) calendar year later, unless terminated sooner.        

(b) Termination.  Subscriber may terminate this Agreement at any time for any reason.  HITRUST may terminate this Agreement upon breach or threatened breach by Subscriber or any person acting under Subscriber’s authority (i) which occurs or remains uncured ten (10) days after notice from HITRUST, or (ii) which relates to confidentiality of any HITRUST confidential or proprietary information or HITRUST’s sole and exclusive ownership of intellectual property rights related to CSF or related documentation.  In the latter event this Agreement may be terminated by HITRUST immediately upon notice.

(c) Events Upon Termination.  Immediately upon termination or expiration of this Agreement, Subscriber and all persons acting under Subscriber’s authority will cease access to and use of the CSF or HITRUST Central™and related documentation, and will remove all electronic and paper copies from their possession, custody and control.  All provisions relating to the protection of HITRUST’s confidential and proprietary information and to HITRUST’s sole and exclusive ownership of intellectual property rights related to CSF or HITRUST Central™or related documentation shall survive expiration or termination of this Agreement.

13. Miscellaneous.

(a) Notices.  Notices required or permitted to be given under this Agreement shall be deemed delivered when sent by email, without notification of transmittal failure, to the email addresses provided by the Parties in this Agreement.  Such addresses may be changed upon written notice to the other party, provided such notice is conspicuous and clear.  Subscriber will be solely responsible for insuring that any such notice from HITRUST is timely forwarded to Permitted Affiliates and Registered Users acting under HITRUST’s authority.        

(b) Entire Agreement.  This Agreement contains the entire agreement of the Parties relating to the subject matter hereof, superseding all prior written or oral agreements, commitments, representations or understandings.  Each party represents and warrants to the other that in entering into and performing its obligations hereunder, it is not relying on any promise, inducement, course of dealing or trade, or representation not contained herein.

(c) Severability.  If any provision of this Agreement is found for any reason to be invalid or unenforceable, it will be deemed severed and the remainder of the Agreement enforced, and in place of the invalid or unenforceable portion there shall be deemed substituted, as of the effective date of this Agreement, a provision as nearly similar to it as possible while still being valid and enforceable.

(d) Further Assurances.  Each party agrees to cooperate fully with the others and to execute such further instruments as may be reasonably requested by the other party to carry into effect the intents and purposes of this Agreement.

(e) No Waiver.  The failure or delay of any party at any time to require performance by the other party of any provision of this Agreement shall not be construed as a waiver of such performance, or of any continuing or succeeding breach of such provision.

(f) Force Majeure.  Either party shall be excused from delay in or failure of performance to the extent it results from causes beyond that party’s reasonable control, provided that the party acts diligently to remedy the cause of the delay or failure.  Inability or failure to pay or to control one’s own affiliates, employees, or agents will not be considered an event of force majeure.

(g) No agency.  Each party is acting as an independent contractor and in no way is the agent or partner of the other in any respect.  No party has the authority to make commitments for or bind the other to any obligation.

(h) Export Restrictions.  Subscriber agrees to comply in all respects with any governmental laws, orders or other restrictions (“Export Restrictions”) on the export or re-export of the CSF or HITRUST Central™or related documentation imposed by the governments of the United States or the country to which it is shipped.  Subscriber shall not commit any act or omission that will result in a breach of Export Restrictions.

(i) Choice of Law and Forum; Jury Waiver.  This Agreement and the relationship between and among the Parties shall be interpreted, governed and enforced under Texas law, excluding its choice of law provisions.  The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.  Any action arising from or pertaining to this Agreement or the relationship between or among the Parties shall be heard in the state or federal courts in or for Collin County, Texas and in no other location. Subscriber and all persons or entities in privity with it hereby waive all defenses of lack of personal jurisdiction forum non conveniens.  TO THE FULLEST EXTENT PERMITTED BY LAW, THE PARTIES HEREBY WAIVE TRIAL BY JURY.