By agreeing to these Terms and Conditions, you agree that you (as the “Covered Entity”) are allowing Custom Orthopaedic Solutions (the “Business Associate”) and Arthrex (“Subcontractor”) to receive your Protected Health Information, under the Terms and Conditions contained herein.

1. The Covered Entity is obligated to comply with the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) issued under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the American Recovery and Reinvestment Act of 2009 and associated Health Information Technology for Economic and Clinical Health Act (“HITECH”). Statutory and regulatory references herein are to the aforementioned laws as currently in effect or as subsequently updated, amended, or revised upon the date of such update, amendment or revision.
2. The Covered Entity has entered into, and may in the future enter into, agreements (“Agreements”) with the Business Associate and/or Subcontractor pursuant to which they use the Covered Entity’s patient-identifiable information defined as Protected Health Information at 45 C.F.R. § 164.501 ( “PHI”, which for the terms of these Terms and Conditions collectively include “ePHI”). For example, the Business Associate currently uses and/or discloses Covered Entity’s PHI in order to provide samples of its ArthrexVIP, SmartBone, and IRIS products.
3. The Business Associate and/or Subcontractor may use and disclose PHI necessary to perform its obligations to the Covered Entity except as otherwise specified or restricted herein. In addition to other permissible purposes, the Business Associate is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c). Business Associate may use or disclose such de-identified information at its discretion, provided that such use or disclosure is consistent with the associated Service Agreement and applicable law. The Business Associate and/or Subcontractor may also (a) use PHI if necessary for its proper management and administration and to carry out its legal responsibilities and (b) disclose PHI to third parties for the same purposes so long as (i) the disclosure is required by law or (ii) the Business Associate and/or Subcontractor obtains reasonable assurances from said third party that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed and that the third party will notify the Business Associate and/or Subcontractor of any instances of which it is aware in which the confidentiality of the PHI has been breached. All other uses and disclosures not authorized by these Terms and Conditions are prohibited.
4. Obligations of the Business Associate and/or Subcontractor. The Business Associate and/or Subcontractor will:
   1. not use or further disclose PHI other than as permitted or required herein, in any written Agreement, or as required by law.
   2. use appropriate safeguards to prevent uses or disclosures of PHI other than as provided for herein or by any written Agreement.
   3. report to the Covered Entity any use or disclosure of PHI not provided for herein or by any written Agreement of which it becomes aware.
   4. ensure that any agents, including a subcontractor, to whom the Business Associate provides PHI on behalf of the Covered Entity agree to the same restrictions and conditions that apply to the Business Associate with respect to the PHI.
   5. within 45 days of receiving a written request from the Covered Entity for a copy of PHI, make the requested PHI available to the Covered Entity to enable the Covered Entity to respond to an individual who seeks to inspect or copy PHI.
   6. within 45 days of receiving a written request from the Covered Entity to make PHI available or to amend PHI, make the requested PHI available to the Covered Entity for amendment and incorporate any amendments to PHI directed by the Covered Entity.
   7. within 45 days of receiving a written request from the Covered Entity for an accounting of disclosures of PHI about an individual, provide to the Covered Entity a listing of the persons or entities to which the Business Associate and/or Subcontractor has disclosed PHI about the individual within the prior 6 years along with the dates of, reasons for, and brief descriptions of the disclosures to enable the Covered Entity to respond to an individual seeking an accounting of the disclosures of the individual's PHI.
   8. make its internal practices, books, and records relating to the use and disclosure of PHI received from, created by, or received by the Business Associate and/or Subcontractor on behalf of the Covered Entity available to the U.S. Department of Health and Human Services so that it may evaluate the Covered Entity’s compliance with the Privacy Rule.
   9. at the termination of any Agreement, or of the uses and/or disclosures of the PHI by the Business Associate and/or Subcontractor, if feasible, return or destroy all PHI received from, created by, or received by the Business Associate and/or Subcontractor on behalf of the Covered Entity that the Business Associate and/or Subcontractor still maintains in any form in connection with this relationship and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of these Terms and Conditions to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
5. Obligations of the Business Associate and/or Subcontractor with respect to Electronic PHI. Pursuant to 45 C.F.R. § 164.314(a)(2)(i), The Business Associate and/or Subcontractor will:
   1. implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
   2. ensure that any agent, including a subcontractor, to whom it provides electronic PHI agrees to implement reasonable and appropriate safeguards to protect it.
   3. report to the Covered Entity any security incident of which it becomes aware, as that term is defined under 45 C.F.R. § 164.304.
6. The Covered Entity may immediately terminate this relationship and/or any related Agreements if the Covered Entity makes the determination that the Business Associate and/or Subcontractor have breached a material term of these Terms and Conditions.
   1. Breach Notification Procedures. Business Associate and/or Subcontractor will promptly make disclosure to Covered Entity in the event of any breach of PHI in full compliance with all current procedures, rules, regulations, and laws, including without limitation, HITECH and HIPAA, as any of these rules, regulations and laws may be amended from time to time. Such notification of any breach of PHI shall be made to the Covered Entity in writing without unreasonable delay but in no event not later than five (5) business days from the date that Business Associate and/or Subcontractor became aware of such breach, or should have known or should have become aware of such breach. Furthermore, in the event of an unauthorized use or disclosure of PHI or a breach of unsecured PHI, Business Associate and/or Subcontractor shall mitigate, to the extent practicable, any harmful effects of said disclosure that are or should be known to it. In the event of a breach, Business Associate and/or Subcontractor shall provide to Covered Entity (and Covered Entity’s internal and external auditors, inspectors, regulators and other representatives that Covered Entity may designate from time to time) access at reasonable hours to Business Associate’s and/or Subcontractor’s personnel, to the facilities at or from which Services are then being provided, and to Business Associate’s and/or Subcontractor’s records and other pertinent information, all to the extent relevant to the Services and Business Associate’s and/or Subcontractor’s obligations under this Agreement. Business Associate and/or Subcontractor shall provide any assistance reasonably requested by Covered Entity or its designee in conducting any such audit.
7. Compliance Related Changes The parties recognize that the rules, laws and regulations may change or may be clarified, such laws, include without limitation, HITECH and HIPAA, and that these Terms and Conditions may need to be revised, on advice of counsel, in order to remain in compliance with such changes or clarifications, and the parties agree to negotiate in good faith revisions to the term or terms that cause the potential or actual violation or noncompliance. In the event the parties are unable to agree to new or modified terms as required to bring the entire Agreement into compliance, either party may terminate this relationship on thirty (30) days written notice to the other party, or earlier if necessary to prevent noncompliance with a deadline or effective date or to protect any PHI at issue, as well as ensure compliance with all obligations under any of these procedures, rules, regulations or laws.