Gold Certified Biller Terms

Payment Terms. All Monthly Facility Fees are due and payable within fifteen (15) days of the invoice date. Fees or costs which are past due shall bear interest at the rate of five percent (5%) or $250 per month, whichever is greater, or the maximum allowed by law.

Certification Designation. Participant shall display the Certification Logo, which shall serve as a hyperlink directing to, at the bottom of its website’s home page. In exchange, Kipu will provide a dedicated listing for Provider at You may not use the Certification Designation or the Certification Logo in any way that: (i) may be construed to establish an affiliation between Kipu and any third parties other than you; (ii) negatively impacts Kipu’s reputation or goodwill or (iii) that violates this Agreement. Kipu retains all rights, title and interests in the Certification Designation and Certification Logo. Nothing herein shall be construed to grant any other rights to you. Other than the Certification Logo, you shall not use any other marks or intellectual property rights of Kipu without Kipu’s express written consent.

Training. Upon approval of your Application, Kipu, at mutually convenient dates and times, will provide you with one or more remote administrative CAS trainings on the Kipu Services for the users assigned to the Biller Manager role, and one or more remote end-user trainings for the Participant’s staff. These administrative trainings include CAS organization, maintenance, user set up information and the key features of the Kipu Service from a biller’s perspective. You covenant and agree that no user within your organization shall access the Kipu Service of any Contracted Kipu Facility on your behalf, even with such Contracted Kipu Facility’s express consent, prior to having attended a remote training session with Kipu.

Audits. You hereby consent that Kipu through its Program staff may, from time to time, and without advance notice, audit your participation in the Program and compliance with this Agreement. Such audits may be conducted electronically by remotely monitoring your access to Contracted Kipu Facilities through the CAS, by direct request of information from you, and/or in other formats. You hereby consent to and agree to cooperate with all such audits and requests for information conducted by Kipu.

Billing Forms. If and to the extent that you have specific patient documentation forms that you desire a Contracted Kipu Facility to use as part of your billing services, Kipu may, at its discretion, upload copies of such documentation into the Kipu Service on your behalf. Such uploading shall require approval from the applicable Contracted Kipu Facility. You shall be solely responsible for the content of all such documentation and shall indemnify Kipu if any such documentation violates the intellectual property or other rights of any third parties.

Kipu Marketplace. As part of your participation in the Program, Kipu shall display your name and a link to your website as on the “Treatment Direct” market place, which is maintained by a Kipu affiliate, free of any additional charge.

Disclosure of Your Certification Designation and Related Information. From time to time, third parties may contact Kipu in order to verify your Certification Designation status, and you hereby authorize Kipu to disclose information regarding your Certification Designation status to such third parties seeking verification. Further, you acknowledge that Kipu may provide third parties access to information regarding your Certification Designation via a publicly available website or through one of more Kipu affiliates. Kipu may also use and disclose information such as Certification Designation and information regarding associated audit results to administer and facilitate the Program, including your participation therein or involvement thereto. Without limiting the foregoing, Kipu may share information about your Certification Designation and information regarding associated audit results with the entity or entities to which you are providing services for the purposes of facilitating and improving the Program. If Kipu revokes your Certification Designation, Kipu has the right to notify the entity to which you are providing services, and respond to any inquiry by such entity, about changes in the status of your Certification Designation.

Proprietary and Confidential Information. You agree that this Agreement, including the Cover Sheet and all Exhibits and Addenda, the VOB Agreement, the TOS, and all content, related agreements, and documents related to this Agreement and your participation in the Program is Kipu confidential and proprietary information (“Confidential Information”). You are prohibited from disclosing, copying, or publishing Confidential Information and your confidentiality obligations shall survive the termination of this Agreement. “Confidential Information” also includes all material, non-public information, written or oral, disclosed, directly or indirectly, through any means of communication or observation by Kipu or any of its affiliates or representatives to or for your benefit. You shall hold in confidence all Confidential Information that we disclose to you under this Agreement. You many only use any Confidential Information in accordance with the terms of this Agreement. You (a) will not disclose Confidential Information except to your employees or to potential suppliers or subcontractors, and only to persons legally bound comply with the your obligations under this section, in each case only to the extent necessary to achieve the purposes contemplated by this Agreement; (b) will not use Confidential Information except for the purposes contemplated by this Agreement; (c) will use at least the same degree of care to safeguard Confidential Information that you use to protect your own confidential and proprietary information, and in any event not less than a commercially reasonable degree of care under the circumstances; and (d) will make copies of Confidential Information only as needed for such purpose, all of which shall include any existing markings indicating that they are Confidential Information of the discloser, or shall have markings supplied by you.

Indemnification. You agree to indemnify, defend and hold Kipu and its officers, directors, affiliates, employees and representatives harmless from and against any all claims, losses, liabilities, damages, costs and expenses, including reasonable attorney’s fees, arising out of or relating to any breach of the representations, warranties and covenants in this Agreement, or caused directly by any acts or omissions by you in regards to your use of the Certification Designation or the Certification Logo.

Notices. All notices under this Agreement shall be in writing and shall be deemed to have been given upon: (i) personal delivery; (ii) the second business day after mailing; (iii) the second business day after sending by confirmed facsimile; or (iv) the second business day after sending by email. Notices to Kipu shall be addressed to the attention of its Director, Gold Certified Biller Certification with a copy to its General Counsel.

Modifications and Waivers. Kipu reserves the right to modify this Agreement, including but not limited to the terms and conditions for participation in the Program, the requirements for Certification Designation, the restrictions governing use of the Certification Logo, and pricing, at any time upon providing notice to Participant, and such changes shall go into effect within thirty (30) days after the date of such notice, provided that Participant may terminate this Agreement without penalty within seven (7) days after receipt of any such changes, or otherwise is deemed to have accepted such changes. The KIPU TOS are separately governed by its terms with respect to modifications. Otherwise, this Agreement may not be modified, nor may any term or condition herein be waived, except in a writing signed by the CEO or CFO of Kipu. Neither failure nor any delay by any party in exercising any right, power, or privilege under this Agreement will operate as a waiver of such right, power, or privilege. In addition, no course of dealing between or among any entity having any interest in this Agreement will be deemed effective to modify or amend any part of this Agreement or any rights or obligations of any entity under or by reason of this Agreement.

Business Associate Agreement

​This Business Associate Agreement (the “HIPAA Agreement”), effective upon the date of notification to Participant that it has been accepted into the Kipu Gold Certified Biller Program (the “Effective Date”), is entered into by and between Kipu Systems, LLC (“Kipu”) and the Participant, (Participant and Kipu each a “Party” and collectively the “Parties”).

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the HIPAA Privacy rule (“Privacy Rule”), 45 C.F.R. Parts 160 and 164, and the HIPAA Security Rule (“Security Rule”), 45 C.F.R. Parts 160, 162 and 164, require Participant to enter into a written agreement with a Business Associate in order to protect the privacy and security of individually identifiable health information (“Protected Health Information,” or “PHI”). To fulfill the obligations to Participant pursuant to either an existing or contemporaneously executed HIPAA Agreement for services to be provided to Participant, the Parties enter into this HIPAA Agreement to protect PHI and, intending to be bound, hereby agree to the following:

Terms used, but not otherwise defined, in this HIPAA Agreement shall have the meanings set forth below.

“Breach” shall mean:
– IN GENERAL – The term “breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
– EXCEPTIONS – The term “breach” does not include:
– Any unintentional acquisition, access, or use of PHI by a workforce member or person acting
under the authority of Participant or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or
disclosure in a manner not permitted under subpart E of Part II, 45 C.F.R. Parts 160 and 164.
–Any inadvertent disclosure by a person who is authorized to access PHI at Participant or a
business associate to another person authorized to access PHI at the same Participant or
business associate, or organized health care arrangement in which Participant participates,
and the information received as a result of such disclosure is not further used or disclosed in
a manner not permitted under subpart E of Part II, 45 C.F.R. Parts 160 and 164.
– A disclosure of protected health information where Participant or Kipu has a good faith belief
that an unauthorized person to whom the disclosure was made would not reasonably have
been able to retain such information.

Except as provided in paragraph (B) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not otherwise permitted is presumed to be a breach unless Participant or Kipu, as applicable, demonstrates that there is a low probability that the protected health information has been com-promised based on a risk assessment of at least the following factors:

The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

The unauthorized person who used the protected health information or to whom the disclosure was made;

Whether the protected health information was actually acquired or viewed; and

The extent to which the risk to the protected health information has been mitigated.

“Designated Record Set” shall mean a group of records maintained by or for Participant that is (i) the medical records and billing records about Individuals maintained by or for Participant, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for Participant; or (iii) used, in whole or in part, by or for Participant to allow its customers to make decisions about Individuals. As used herein the term “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Participant.

“Electronic Protected Health Information” shall mean Protected Health Information transmitted by Electronic Media or maintained in Electronic Media.

“Electronic Media” shall mean (1) electronic storage media on which data is or may be recorded electronically, including computer hard drives and any digital memory medium that is removable or transportable, such as magnetic tape or disk, optical disk, or digital memory card; and (ii) transmission data used to exchange information already in electronic storage media, including, for example, the Internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

“Health Care Operations” shall mean activities including: (i) quality assessment and improvement activities (outcomes, evaluation and development of clinical guidelines), population-based activities relating to improving health or reducing health care costs, and related activities that do not include treatment; (ii) peer and entity review, education, credentialing activities; (iii) except as prohibited by 42 C.F.R. § 164.502(a)(5)(i) underwriting, enrollment premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; (iv) conducting or arranging for medical review, legal services, and auditing services, including fraud and abuse detection and compliance programs; (v) business planning and development; (vi) business management and general administrative activities of the entity; and (vii) licensure/accreditation.

“Individual” shall have the same meaning given such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

“Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an Individual, and (i) is created or received by Participant or Kipu on behalf of Participant; and (ii) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual; and identifies the Individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

“Payment” shall mean (i) except as prohibited by 45 C.F.R. § 164.502(a)(5)(i) the activities undertaken by a Participant customer (“Covered Entity”) to obtain premiums or to determine or fulfill its responsibility for coverage and the provision of benefits under the Covered Entity’s health plan(s); or (ii) a covered health care provider or health plan’s activity to obtain or provide reimbursement for the provision of health care. Such activities include eligibility/coverage determinations, risk adjusting, billing, claims management and collection activities, health care data processing, reviews of health care services with respect to medical necessity, coverage under the Covered Entity’s health plans, appropriateness of care, or justification of charges; utilization review activities (including prior authorization), disclosure to consumer reporting agencies relating to the collection of premiums or reimbursement.

“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.

“Privacy Standards” shall mean the Standard for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.

“Protected Health Information” or “PHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media, (ii) maintained in any medium constituting Electronic Media; or (iii) transmitted or maintained in any other form or medium. “Protected Health Information” shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g, (ii) records described in 20 U.S.C. § 1232g(a)(4)(B)(iv), employment records held by Participant in its role as an employer; and regarding a person who has been deceased for more than 50 years.

“Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. 164.103.

“Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

“Security Incident” shall mean any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or systems operations in an electronic information system.

“Security Rule” shall mean the Security Standards at 45 C.F.R. Parts 160, 162 and 164.

“Program Agreement” collectively refers to and means Kipu Gold Certified Biller Program Agreement entered between Kipu and Participant.

“Subcontractor” means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.

“Treatment” shall mean the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, including Participant and/or Kipu; consultation between health care providers relating to an Individual; or the referral of an Individual for health care from one health care provider to another.

Incorporation of agreements. The Program Agreement between Participant and Kipu hereby incorporates the terms of this Agreement. In the event of conflict between the terms governing HIPAA and confidentiality of patient data and files between in the Program Agreement and this HIPAA Agreement, the terms and conditions of the HIPAA Agreement shall govern.

Use and Disclosure of PHI to Provide Services. Except as otherwise permitted by this Agreement, the Program Agreement or HIPAA, the Privacy Rule, the Security Rule or the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Kipu will use and disclose Protected Health Information only as permitted or required by the terms of this HIPAA Agreement, to the extent required to fulfill Kipu’s obligations under the Program Agreement or to perform any other related function, activity or service specifically requested by Participant in writing, or as Required By Law. All other uses not authorized by this HIPAA Agreement are prohibited. Specifically, Kipu is prohibited from using to harm or to the detriment of Participant any information learned or gathered by Participant as part of its performance of the HIPAA Agreement.

Kipu agrees to:

Use or further disclose only the minimum necessary PHI in performing the activities required under the Program Agreement between the Parties.

Not use or further disclose PHI except as permitted under this HIPAA Agreement, HIPAA, the Privacy Rule, the Security Rule, the Recovery Act and applicable state law or regulation, each as amended from time to time.

Establish, implement, and enforce all appropriate safeguards to prevent the use or disclosure of Protected Health Information other than pursuant to the terms and conditions of this HIPAA Agreement.

Take reasonable steps to ensure that its employees’ actions or omissions do not cause Kipu to breach the terms of this HIPAA Agreement.

Document disclosures of PHI in accordance with 45 C.F.R. 164.528, in order for Participant to respond to a request from an Individual for an accounting of disclosures of PHI or in order for the Kipu to respond to a request for an accounting to the extent required by the Recovery Act.

Report to Participant in writing any use or disclosure of the PHI of which Kipu becomes aware that is not permitted by this HIPAA Agreement within five days of Kipu’s discovery of such use or disclosure.

Mitigate, to the extent practicable, any harmful effect that is known to Kipu of a use or disclosure of PHI by Kipu in violation of this HIPAA Agreement.

Enter into a written agreement with any Subcontractors or agents that receives, creates, maintains or transmits PHI received by Kipu on behalf of Participant, binding such subcontractors or agents to the same restrictions, terms and conditions that apply to Kipu pursuant to this HIPAA Agreement with respect to such PHI, including the requirement that the Subcontractor or agent, as applicable, implement reasonable and appropriate safeguards to protect any electronic PHI that is disclosed to it by Kipu.

Upon Participant’s request and within 10 days of such request, provide to Participant all required information to permit Participant to respond to a request from an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.

Maintain the integrity of any PHI transmitted by or received from Participant.

Provide Participant or, as directed by Participant, to an Individual to whom the PHI relates, the rights of access, amendment, and accounting as set forth in 45 C.F.R. 164.524, 45 C.F.R. 164.526 and 45 C.F.R. 164.528.

Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Participant. Kipu shall implement policies and procedures regarding such safeguards.

Promptly report to Participant, in writing, any Security Incident of which Kipu becomes aware.

Notify Participant of any Breach within 5 (five) days of discovery by Kipu as required by federal law. Delay in notification may only be allowed under the Recovery Act § 13402(g) and 45 C.F.R. 164.412. The notice shall include the identification of each Individual whose unsecured PHI has been, or is reasonably believed by the Kipu to have been accessed, acquired, or disclosed during such Breach.

Comply with requested restrictions on the disclosure of PHI as communicated to Kipu by Participant if the disclosure is to a health plan for the purposes of carrying out Payment or Health Care Operations (and is not for the purpose of carrying out Treatment) and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

Limit required use and disclosure of PHI, to the extent practicable, to the limited data set as defined by 42 C.F.R. 164.514(e)(2), or the minimum necessary to accomplish the intended purpose of such disclosure, subject to exceptions set forth in the Privacy Rule.

If Kipu maintains Electronic Health Records as that term is defined in Section 13400 of the Recovery Act and an Individual requests a copy of such records, transmit the electronic records directly to an entity or person designated by the Individual, provided that any such choice is clear, conspicuous, and specific. Any fee charged for such electronic records shall not exceed Kipu’s labor costs.

If Kipu knows of a pattern of activity or practice of Participant that constitutes a material breach or violation of Participant’s obligations under this HIPAA Agreement, unless Participant successfully takes steps to cure the Breach or end the violation after receipt of notice from Kipu, then Kipu shall terminate this HIPAA Agreement and the Program Agreement or, if not feasible, notify the Secretary.

Be subject to the application of civil and criminal penalties for violation of Sections 13401 and 13404(a) and (b) of Part 1 of the HITECH Act.

To the extent Kipu is carrying out one or more obligations of Participant under 45 C.F.R. Part 164, Subpart E, Kipu shall comply with the requirements of Subpart E that apply to Participant in the performance of such obligation(s).

Kipu shall keep such records and submit such compliance reports in such time and manner and containing such information as the Secretary may determine to be necessary to enable the Secretary to ascertain whether Kipu has complied or is complying with the applicable administrative simplification provisions. Kipu shall also cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of Kipu to determine whether Kipu is complying with the applicable administrative simplification provisions.

Kipu may:

Use PHI in its possession for proper management and administration of its duties under the Program Agreement or to fulfill any of its legal responsibilities under the Program Agreement.

Disclose PHI in its possession to third-parties for proper management and administration, or to fulfill any of its legal responsibilities under this HIPAA Agreement or the Program Agreement; provided that (i) the disclosures are Required By Law, as provided for in 45 C.F.R. § 164.103, or (ii) Kipu has received written assurances from the third party that the PHI will be held confidentially, and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the third party, and that the third party will notify Kipu of any instances of which it is aware in which the confidentiality of the PHI has been breached, as required under 45 C.F.R. § 164.504(e)(4).

De-identify any and all PHI, provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that Kipu maintains the documentation required by 45 C.F.R. § 164.514(b), which may be in the form of a written assurance from Kipu. Pursuant to 45 C.F.R. § 164.502(d), de-identified information does not constitute PHI and is not subject to the terms of the HIPAA Agreement.

Participant shall:

Notify Kipu in writing of any restriction to the use or disclosure of Protected Health Information that Participant has agreed to in accordance with 45 C.F.R. § 164.522 or a restriction pursuant to the Recovery Act § 13405 (a) to which Participant’s compliance was mandatory to the extent such restriction may affect Kipu’s use or disclosure of Protected Health Information. Before agreeing to any restriction on use or disclosure permitted under 45 C.F.R. § 164.522, but not mandated under the Recovery Act § 13405(a), Participant shall advise Kipu of the contemplated restrictions and Kipu shall, as promptly as practicable, advise Participant of the additional costs Participant will incur to implement such restriction.

Notify Kipu of any changes to, or withdrawal of, the consent or authorization of an Individual provided to Participant pursuant to 45 C.F.R. § 164.506 or § 164.508 to the extent such changes may affect Kipu’s ability to perform its obligations under this HIPAA Agreement.

6. Access to PHI. Within five (5) days of a request by Participant for access to PHI maintained by Kipu, Kipu shall make PHI available to Participant, or at the written direction of Participant, to an Individual to whom such PHI relates or his or her authorized representative. In the event any Individual requests access to PHI directly from Kipu, Kipu shall, within five (5) days, forward such request to Participant. Any denials of access to the PHI requested shall be the responsibility of Participant.

7. Amendment of PHI. Kipu shall make PHI available to Participant and will amend PHI as instructed by Participant, in a manner consistent with the Privacy Rule within ten (10) days of receipt of a request from Participant for the amendment of patient’s PHI.

8. Accounting for Disclosures of PHI. Within thirty (30) days of notice by Participant to Kipu that it has received a request for an accounting of disclosures of PHI, Kipu shall make available to Participant such information as is in Kipu’s possession required for Participant to satisfy the accounting of disclosures requirement set forth in the Privacy Rule. In the event the request for an accounting is delivered directly to Kipu, Kipu shall, within five (5) days, forward the request to Participant. It shall be Participant’s responsibility to prepare and deliver any such accounting requested.

9. Individual Rights Regarding Designated Record Sets. If Kipu maintains any PHI that could be construed to be part of a Designated Record Set of Participant, Kipu shall (i) provide access to, and permit inspection and copying of, PHI by Participant, or if directed by Participant, an individual who is the subject of the PHI under conditions and limitations required under 45 C.F.R. § 164.524, as it may be amended from time-to-time, and (ii) amend PHI maintained by Kipu as requested by Participant. Kipu shall respond to any request from Participant for access by an individual within five (5) days of such request and shall make any amendment requested by Participant within ten (10) days of such request. Any information requested under this Section 9 shall be provided in the form or format requested, if it is readily producible in such form or format. Kipu may charge a reasonable fee based upon Kipu’s labor cost in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies). Participant shall determine whether a denial is appropriate or an exception applies. Kipu shall notify Participant within five (5) days of receipt of any request for access or amendment by an individual. Participant shall determine whether to grant or deny access or amendment requested by the individual. Kipu shall have a process in place for receiving requests for amendments and for appending such requests to the Designated Record Set, as requested by Participant.

​Notwithstanding the above, Kipu shall not permit access to any record if such access would violate Kipu’s ethical responsibilities or any other privilege that may be applicable to Kipu. To the maximum extent permitted by law, Participant hereby reserves and retains any and all privileges in which Participant has an interest with respect to Kipu’s performance of its obligations under this section. The parties acknowledge that Participant retains the right to waive any privilege with regard to its own records and to expressly instruct Kipu to provide access to those records as a result of that waiver. In the event Participant decides to waive any privilege, Participant shall provide Kipu with written notice of that waiver before Kipu shall act on such decision.

10. Records and Audit. If Kipu receives a request, made by or on behalf of HHS, requiring Kipu to make available its internal practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of determining compliance of Participant with the Privacy Standards, then Kipu shall promptly notify Participant that Kipu has received such request. Except as otherwise set forth below, Kipu shall make its books and records relating to the use and disclosure of PHI by Participant available to HHS and its authorized representatives for purposes of determining compliance of Participant with the Confidentiality Requirements.

To the maximum extent permitted by law, Participant hereby reserves and retains any and all privileges in which Participant has an interest with respect to Kipu’s performance of its obligations under this Section 10. Kipu, to the maximum extent permitted by law, hereby reserves and retains any and all privileges or rights. This section shall not be construed to require Kipu to disclose or produce communications subject to any privileges or rights with respect to materials that analyze, evaluate or discuss the implications of PHI. Notwithstanding the above, in no event shall Kipu delay complying with a request of HHS or its authorized representatives if such delay appears reasonably likely to result in any penalty, fine or other liability being levied or imposed upon Participant (such likelihood to be determined in the sole discretion of Participant), and Participant has instructed Kipu in writing to disclose the information requested by HHS or its authorized representatives. The Parties acknowledge that Participant retains the right to: (i) waive any privilege with regard to books and records, and (ii) expressly instruct Kipu to provide HHS and its authorized representatives with such books and records in the event of such waiver.

​11. Government Access. Kipu will make its internal policies, procedures, books, and records relating to use and disclosure of PHI (excluding the actual PHI) received from, or created or received by Kipu on behalf of Participant, available to the Secretary for purposes of determining Participant compliance with the HIPAA Privacy and Security Rules, subject to any privileges covering Kipu.

12 .Representations and Warranties.

Each Party represents and warrants to the other Party:

That all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this HIPAA Agreement are, or shall be, appropriately informed of the terms of this HIPAA Agreement and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all provisions of this HIPAA Agreement.

That it will reasonably cooperate with the other Party in the performance of the mutual obligations under this HIPAA Agreement.

13. Term. Unless otherwise terminated as provided in Section 14, this HIPAA Agreement shall become effective on the Effective Date and is fully incorporated, as if fully set forth therein, with the Program Agreement (the “Termination Date”).

14. Termination.

Automatic Termination. This HIPAA Agreement will automatically terminate without any further action of the Parties upon termination of Participant’s participation in the Kipu Gold Certified Biller Program; provided, however, certain provisions and requirements of this HIPAA Agreement shall survive such expiration or termination in accordance with Section 15. Any data generated by Kipu pursuant to Section 4.3 shall remain unaffected by any termination.

Termination for Cause. Either Party may immediately terminate this HIPAA Agreement, the Program Agreement and any related agreements if the Party makes the determination that the other Party has breached a material term of this HIPAA Agreement. Alternatively, and in the sole discretion of the non-breaching Party, the non-breaching Party may choose to provide the breaching Party with written notice of the existence of the Breach and provide the breaching Party thirty (30) calendar days to cure said breach upon mutually agreeable terms. Failure by the breaching Party to cure said breach or violation in the manner set forth above shall be grounds for immediate termination of the Program Agreement by the non-breaching Party. If termination is not feasible, Participant shall report the problem to the Secretary.

15. Effect of Termination. Upon termination of this HIPAA Agreement, Kipu agrees to return or destroy all PHI in whatever form or medium (including any Electronic Media under Kipu’s custody or control) received from Participant, created, received, transmitted or maintained by Kipu on behalf of Participant, including all copies of any data or compilations derived from PHI that are in the possession of subcontractors or agents of Kipu. Kipu shall retain no copies of the PHI. Kipu will complete such return or destruction as promptly as possible, following termination, cancellation, expiration or other conclusion of this HIPAA Agreement. Kipu is obligated to demonstrate to Participant that it is not feasible that the PHI be returned to Participant or destroyed and Participant will make a determination whether the reasons are sufficient to make return or destruction of PHI not feasible. If such a determination is made, Kipu shall extend the protections of this HIPAA Agreement to such PHI and limit further uses and disclosure of such PHI. Kipu shall disclose no information which in any way may harm or cause damage to Participant.

16. Indemnity. Kipu shall indemnify Participant for any damages suffered by Participant as a result of Kipu breaching any term of this HIPAA Agreement. Damages shall include any fine or other charges assessed against Participant as a result of Kipu disclosing any information covered by this HIPAA Agreement for any purpose other than performance of Kipu’s duties under the Service Agreement. Kipu shall be responsible for all cost of Breach Notification and Breach Remediation caused by Kipu breaching this HIPAA Agreement.

17. Third-Party Beneficiaries. Nothing in this HIPAA Agreement shall be construed to create third-party beneficiary rights in any person or entity.

18. Amendments; Waiver. This HIPAA Agreement may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The failure of either Party to enforce at any time any provision of this HIPAA Agreement shall not be construed to be a waiver of such provision, nor in any way to affect the validity of this HIPAA Agreement or the right of either Party thereafter to enforce each and every such provision.

19. Notices. Any notice or other communication required or desired to be given to any Party under this HIPAA Agreement shall be in writing and shall be deemed given when (a) deposited in the United States mail, first-class postage prepaid, and addressed to that Party at the address for such Party set forth below; (b) the next business day immediately following delivery to Federal Express, or any other similar express delivery service for next-day delivery to that Party at that address; or (c) sent by facsimile transmission, with electronic confirmation, to that Party at its facsimile number set forth below. Any Party may change its address or facsimile number for notices under this HIPAA Agreement by giving the other party notice of such change.

(Company Address and Notice Information Listed in the Application)

Kipu Health LLC
Attn: Legal Department
55 Alhambra Plaza, 6th Floor
Miami, FL 33134

Notice of change of address of a Party shall be given in writing to the other Party as provided above

20. Governing Law, Venue and Attorney Fees and Costs. This HIPAA Agreement shall be governed by and construed in accordance with the laws of the State of Florida. In the event of any litigation in connection with, arising out of, or related to this HIPAA Agreement, the Parties agree that the Circuit Court of Miami-Dade County, Florida shall be the exclusive venue and jurisdiction for any litigation. At the option of Participant, the United States District Court for the Southern District of Florida, Miami-Dade Division, shall be the exclusive venue and jurisdiction for any litigation. Should legal action ever be necessary to enforce the terms of this HIPAA Agreement, the prevailing Party will be entitled to receive from the other Party all litigation expenses incurred in connection therewith, including but not limited to reasonable attorneys’ fees, paralegal fees, expert and investigator fees, and costs, on all levels, including any appeals, if any.

21. Assignment. Neither Party may assign this HIPAA Agreement without the prior written consent of the other.

22. Compliance with Law; Regulatory Changes. It is the Parties’ intent to comply strictly with all applicable laws, including without limitation, HIPAA, Medicare or Medicaid statutes, state statutes, or regulations (collectively, the “Regulatory Laws”), in connection with this HIPAA Agreement. In the event there shall be a change in the Regulatory Laws, or in the reasoned interpretation of any of the Regulatory Laws or the adoption of new federal or state legislation, any of which are reasonably likely to materially and adversely affect the manner in which either Party may perform or be compensated under this HIPAA Agreement or which shall make this HIPAA Agreement unlawful, the Parties shall immediately enter into good faith negotiations regarding a new arrangement or basis for compensation pursuant to this HIPAA Agreement that complies with the law, regulation or policy and that approximates as closely as possible the economic position of the Parties prior to the change. In addition, the Parties hereto have negotiated and prepared the terms of this HIPAA Agreement in good faith with the intent that each and every one or the terms, covenants and conditions herein be binding upon and inure to the benefit of the respective Parties. To the extent this HIPAA Agreement is in violation of applicable law, then the Parties agree to negotiate in good faith to amend this HIPAA Agreement, to the extent possible consistent with its purposes, to conform to law.

23. Severability. In the event any provision of this HIPAA Agreement is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this HIPAA Agreement, which shall remain in full force and effect and enforceable in accordance with its terms.

24. Binding Effect. The provisions of this HIPAA Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns.

25. Headings. All section headings contained in this HIPAA Agreement are to be considered for reference purposes only, and are not intended to define or limit the scope of any provisions of this HIPAA Agreement.

26. Counterparts. This HIPAA Agreement and any amendments may be executed in multiple originals, each counterpart shall be deemed an original, but all counterparts together shall constitute one and the same instrument.